Frequent Contributor II

Need some help on Onguard.

Hi Folks,

I have a small request,

I want to test onguard in my lab, can someone give me some suggestion or some document to do it from scratch. I am a newbie in clearpass, so I need a doc which describe the process from scratch.


Laptop user will connect to 802.1x or captive portal enabled wired port,

Clearpass will check if the windows firewall is enabled or not.

If enabled then the user will get full access if not then user will move to a quaruntine  VLAN.



Guru Elite

Re: Need some help on Onguard.

Have you considered using a partner? OnGuard can be tricky to set up the first time.


| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Need some help on Onguard.

Thanks Tim for your respose.

As I said I want to test in my LAB environment with minimal requirement. Like windows firewall is on/off device is windows 7 or  not.

I just want to clear my concept on this.

Please help.

Frequent Contributor I

Re: Need some help on Onguard.

we have been using Onguard in the lab for awhile and are in the process of deploying it to prod. I'll see what I can string together
Frequent Contributor I

Re: Need some help on Onguard.

Here is a quick and dirty procedure to get you up and running. Hope this helps:


  1. Define Health Posture Policy
    1. Under Configuration -> Posture -> Posture Policy, click Add. Name the policy, select the Onguard agent, and select your Operating System. Under the Posture Plugins tab, select the checkbox for the “ClearPass Windows Universal System Health Validator”. Click Configure.
    2. Select Windows 7 on the left, and then determine what you want to check for. In your example, select Firewall and check the for Enable checks for Windows and “A firewall application is on”. Save the configuration.
    3. Under the Rules tab, select the conditions to match for. Generally, it is best practices to use two states: Healthy and Quarantine. Define Healthy as “Passes all SHV checks” and use the Health Validator plugin. Define Quarantine as “Fails one or more SHV checks”.
    4. Save the policy.
  2. Define Posture Enforcement Policy
    1. Under Configuration -> Enforcement -> Policies, click Add. Name the policy and select the WEBAUTH enforcement type. Select [RADIUS_CoA][Aruba Terminate Session] as the Default Profile.
    2. Under the Rules tab, define three condition rules, selecting the first match:
      1. If Tips:Posture EQUALS HEALTHY, Actions: [Aruba Terminate Session], [Cisco – Terminate Session]
      2. If Tips:Posture EQUALS QUARANTINE, Actions: [Aruba Terminate Session], [Cisco – Terminate Session]
  • If Tips:Posture NOT_EQUALS HEALTHY, Actions: [Aruba Terminate Session], [Cisco – Terminate Session]
  1. Save the policy.
  1. Define Health Authentication Service
    1. Under Configuration -> Services, click Add. Select the type as “Web-based Health Check Only”. Select the Posture Compliance check box. Under Posture, select the Posture policy previously defined. The default posture token should be “Unknown.” Under the Enforcement tab, select the previously-define enforcement policy.
    2. Save the service.
  2. In your Dot1X service, under the Enforcement tab, ensure that the “Use Cached Results” checkbox is checked.
  3. Download the Onguard agent. The installer file can be found under Administration -> Agents and Software Updates -> Onguard Settings.
  4. Once the agent is installed, health check authentications should now use the newly-define service.
  5. You may now use the posture status in the Dot1X enforcement policy. When the Health auth terminates the session, the results will be cached and can be used in enforcement to assign new user role, VLAN, etc.
Frequent Contributor II

Re: Need some help on Onguard.

Hi efisher214,


Thanks a ton for the response.

I tried the same you mentioned, but getting error when doing WEB_Auth.

My system is sending credential while in CPPM web-auth no auth source configured..


ONG_Access_traceker error.jpg

Frequent Contributor I

Re: Need some help on Onguard.

 Are you sure you selected Web-Based Health Check only service template? There should be only one condition: Type=Host, Name=CheckType, Operator=MATCHES_ALL, Value = Health


This template should not require any authentication source configured. In addition, the username that you should see in the access tracker should be the mac address of the endpoint with the agent installed.

Search Airheads
Showing results for 
Search instead for 
Did you mean: