Security

How can I extend the OnGuard posture token to say, 2 weeks? 

 

Currently the default posture is unknown and I have the rule if unknown then send to remediation vlan. That works. The agent scans, gets a healthy token and bounces the NIC (the NAD doesn't support CoA). But this happens on every auth. So it takes 20-30 seconds to connect to the network to go through that process. If I could extend the policy cache value to 2 weeks, then that "bounce" process would only happen every 2 weeks. 

 

 

Yes there is a value under server config parameters that you need to increase. Default value is 5min. I'll post tomorrow if someone does not beat me to it.

There has been some added features on this and I will try to post some information and slides from the latest TOI this Friday.

This is the value we changed to get our value to one week.

that it is possible doesnt mean you should do it. personally i wonder how useful OnGuard is when you cache the result for two or one weeks. a lot can happen in one week, doesnt this give you a false sense of safety?

So there is two parts to this.

 

1. If you cache the scan that just means that policy manager will continue to let you on until its required check in time.

 

2. That being said if you don't have auto remediation turned on yes that will open you up to issues if someone is out of compliance, but again 2 parts to that :)

 

• A. Even if the cache is turned on it doesn't mean that is the only time the OnGuard runs. The service does constantly run and looks for compliance. That is just when the full scan is ran.

 

• B. And if auto remediation is turned on it will put most items back into compliance. (update dat file, start and stop services, ETC)

 

 

For example in my lab (which is a simple test that you can run) I have OnGuard looking for notepad.exe and if I start Notepad it will automaticly close the program.

 

Thanks guys. I understand the implications of caching posture tokens for extended times and have explained that to the end users. They would like to error on the side of usability. 

 

The real issue is their device doesn't support any kind of CoA or ability to re-auth the session, so you have to use the agent bounce and then you obviously lose connectivity no matter what. This happens on every session. Maybe there's a better to do this? I don't have screen caps and I'm not onsite now but here's my logic in the service:

 

If computer AND posture NOT EQUALS healthy --> quarantive vlan enforcement profile

 

OnGuard web service

 

If SHV passes all checks --> posture = healthy --> Agent bounce enforcement

If SHV fails one of more --> posture = quarantine --> Agent bounce enforcement

 

I'll get some screen caps tomorrow when I'm back onsite but is there a better / recommended way to do this?

 

 

Troy - will OnGuard actually kill a process if it's running? I have the same policy configured and it only notifies the end user and doesn't actually stop the process. 

Troy,

 

I'm doing some research on this subject. Are there any improvements with the OnGuard cache and how the agent communicates to Clearpass in 6.5? 

 

I'm with a current customer right now that is hesitant to raise the cache, but also doesn't like how the agent becomes unknown after a small amount of time.

 

Any thoughts if 6.5 can help fix this problem?

 

Thanks for your time!

 

-Mike