Security

Hoping someone here can help. I am building a PoC for Onguard and I am stuck on getting it to work using the persistent agent.

First, when using the persistent agent, the OnGuard agent requires credentials (userid and password), I thought it happen automatically based upon the 802.1X credentials already supplied. Not sure if this is the correct behavior or not.

Ignoring the first step and entering credentials into the OnGuard application, if I only have a “Web-Based Health Check Only” service configured, the client receives an authentication failure and CPPM logs it with a “AuthSources not configured for service=CPPM Health Check”. If I create a Web Auth service, the OnGuard agent authenticates correctly, but then receives a “Health Check failed. Invalid or Empty response received from server.” My impression was that only the dissolvable agent required a web authentication service, the PA did not.  Is this a correct assumption?

Anyone with ideas where my wires might be crossed?

How do you have configured the role that client lands ?

You need to make sure you allow the following:
https/http to CPPM

TCP 6658 to CPPM

You can just build a web-auth only service 

Create your Posture policies

.And then create enforcement policies matching the onguard posture either "healthy' or "unhealthy" and then apply an agent enforcement profile that will bounce the agent or do an Aruba terminate session (if you are using an Aruba Solution)

Note: Make sure that you are using a Client that it is supported on your Posture Policy and also is supported by the Onguard Agent itself.

Under the Web –based Health check, posture is enabled.  Under the 802.1X service it is not.

One of the key things that you use the agent enforcement profile is to CoA device so then it can get the right access based on the Agent Posture on the 802.1X Service:

As you can see here in the 802.1X I have different rules that apply an Enforcement Profile (Send a User-Role) based on the Posture 

Victor,

I have setup my services to resemble what you posted, but I am still stuck with my first two questions asked. Do I need to create to create a web authentication service for the persistent agent and should the OnGuard auto login?

You need two services:

- 802.1X Service

- Web-based Health Check Only

On the Onguard settings set it to just do Web Auth and No auth

Thanks a bunch for your help.  That was the piece that I was missing.

The client lands on an inside role, so no issues between the client and CPPM (I did adjust IP address in agent.conf to reflect the mgmt. interface of CPPM.

The first two screen shots (Summary and Posture) are the same as what I have. The last one has me confused. Could you post a capture of the Health-agent-profile profile? Is the intent of this profile to place the client in the correct user-role on the controller or will the client re authenticate and then be placed in the correct user-role based upon an 802.1X service?