Security

Hi,

 

Edit: forgot to mention i am running latest 6.7 

 

pretty new to OnGuard, i am trying to configure it. As far as i understand the authentication flow would look like something like this:

 

- client connects and authenticates using dot1x. Because posture is "unknown" the client is placed in a "staging" vlan.

- At this point the client has an ip and can connect to ClearPass 

- Onguard agent detects it's on the network and send posture information to ClearPass. At this point ClearPass knows whether the client is Healthy or whether it should be quarantined.

- ClearPass Onguard action is to bounce the port so that the client is forced to reauthenticate, this time with the cached information from the posture.

 

Problem is within the Webauth service that has the posture enabled, i cannot enable "Use cached roles and posture attributes", it is greyed out, therefore the client posture is always unknown.

 

Any ideas?

thanks

 

Under the cluster wide parameters try changing the default (default value is 5 minutes) policy cache timeout .





Thank you

Victor Fabian

Pardon typos sent from Mobile

thanks!.

 

so no matter whether the service has that enabled, it will cache the client for 5 minutes by default?

By default it is set to 5 minutes but you can increase it but should also
consider having the agent to send a keep-alive periodically (Under Global
Onguard Settings) and if the posture is healthy from a known device then
dont bounce the port and if it is unhealthy then bounce the port.

Thanks. For some reasons documents i have found all point to tick that box in the webauth, although maybe in 6.7 that is not the case, it works anyway.