Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
Hi All,
Can someone briefly explain to me how this works?
OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)
On the ClearPass access tracker VPN authentications always have a posture as unknown, even when the client shows health status as healthy and directly after a successful health check.
Is this happening due to Via clients MAC address showing as 00:00:00:00:00:00 (as per the outstanding bug)??
Cheers
James
Bump.
I'm not sure what would link the authenticated client to the health check other than the MAC address but as it all zeros... How would this work?
Sorry for the delay. When using OnGuard with VPN, you need to do Health Checks with Authentication.
Hi Tim,
Thanks for the reply. I'm authenticating using a TLS machine certificate (no authorization) and doing domain pre-connect. In this scenario if I enabled health check with auth would it work or would I also need to enable authorization on my EAP-TLS authenticaiton method?
Reason for asking is, in my scenario, using health check with authentication would mean CPPM would see 2 authentication requests. 1 would be from the machine for VPN auth and the other from the user for health check auth. Would CPPM know the health check authentication was from the same device as the machine based TLS auth?
Just to add a bit more details.
Here's a successful healthy posture.
Immediately (9 seconds later) followed by my Via authentication:
So my posture was healthy, then it was unknown.
I have cached roles and posture enabled.
FYI this configuration is not supported.
The username in the certificate needs to match the username in the health check so only user certificate will work with health checks with authentication.
Currently machine based certificate don't work with health checking.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.