Security

Reply

Enable OnGuard Agent Auto Installation

Hi experts,

 

I want to use the OnGuard feature to check if the users are healthy or not when they access the network. My objetive is to enable the automatic installation of the OnGuard Agent if the clients don't have the OnGuard Agent when the first connect to the network. In order to achieve that, I have created a service with this enforcement policy:

service.png

Obviously, I also have the WEBAUTH service which returns the token.

When the client doesn't have the OnGuard Agent the token is Unknown and ClearPass matches the Limited Access Profile, which sends a RADIUS accept and a "guest" attribute to the NAD:

limited_access_profile.JPG

Then I have created the "guest" role in my Instant Cluster, which has a captive portal profile which redirects to the Web Login Page which allows users to download the OnGuard agents, since I have checked the Require a successful OnGuard agent health check checkbox.

Then, in my IAP the guest role I have created looks like this:

guest_role.png

And the captive portal profile attached to it looks like this:

guest_role.png

 

With all this, when the client without OnGuard Agent first connects to the network, gets the guest role, opens correctly the Web Login Page, but after logining in, the browser gets stuck. I have checked in the access tracker and the sequence is like this:

access_tracker1.PNG

Entry 2 is my service which returns the guest attribute to my IAP, but I don't know why I get entry 1, which I get because I need a service. If I open this entry I see this:

access_tracker2.PNG

Which service do I need?

 

Regards,

Julián

Guru Elite

Re: Enable OnGuard Agent Auto Installation

Why is the user logging in to download the agent when they have already authenticated to the network?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Enable OnGuard Agent Auto Installation

Hi Tim,

 

It is because it is the default of the Web Login Page. It is not necessary as you say but because I thought this was not a problem I wanted to optimize the Web Login Page later. However, when I changed the Pre-Auth Check field to "None - no extra checks will be made", the clients starts to download the OnGuard Agent. Then, I wanted to remove totally this authentication and changed the Authentication field to "Auto - Do not require a username or password and automatically submit the page", but I got the following warning:

warning.PNGHere, I was entering some non-existing users to get rid of this warning, but another warning appeared which says here I have to enter a valid ClearPass local account and set the Pre-Auth Check to "Local - match a local account". What is this? Why do I need it?

 

Regards,

Julián

Guru Elite

Re: Enable OnGuard Agent Auto Installation

Don’t use a web login. Use a regular web page.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Enable OnGuard Agent Auto Installation

Hi Tim,

 

But when I want to create a Web Page, there is not "Require a successful OnGuard agent health check" checkbox:

web_page.png

 

Regards,

Julián

Guru Elite

Re: Enable OnGuard Agent Auto Installation

The goal is to provide the agent to download correct? Just create links to the agent downloads. The web login functionality is the dissolvable agent.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Enable OnGuard Agent Auto Installation

Yes, you are correct. Two things:

 

  1. When you say "create links to the agent downloads", do you mean to enter the URL of the agent installers instead of the URL of the Web Login Page in the external captive portal profile of my IAP? Please confirm. I tried that some days ago but failed (although I have to put more time on that) and for that reason I was trying with the Web Login Page way.
  2. In relation to "The web login functionality is the dissolvable agent.", the "Technical Note - ClearPass OnGuard Configuration Guide" says "That will link the page to Login Page that will allow the user to download the Dissolvable agent" and later says "This page can be edited for the desired look and feel. Links can also be added to allow the user to download the persistent agent.". Does the last sentence mean to create links to the agent installers as well?

Regards,

Julián

Guru Elite

Re: Enable OnGuard Agent Auto Installation

1) No, create a new Web Page in Guest, not the IAP, and create links to the installers

2) No, ingore all of that if you're using the persistent agent


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Enable OnGuard Agent Auto Installation

Ok, I will try option 1 and let you know.

 

Many thanks,

Julián

Highlighted

Re: Enable OnGuard Agent Auto Installation

Hi Tim,

 

I have tried option 1 and the auto installation works very well. However, now I face this issue. After the installation of the OnGuard Agent, the client (laptop) and/or OnGuard Agent can not reach ClearPass, so it gets stuck there:

agent.png

I don't know if I have to add some more rule to my guest role:

guest_role1.png

If a disconnect and connect the network again, because the OnGuard Agent have not communicated with ClearPass yet, the token keeps being Unknown, and then the service matches the Limited Access Profile again, which sends a RADIUS accept and a "guest" attribute to the NAD once again, which causes to load again the web page to download the agent installers. What am I missing?

 

Regards,

Julián

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: