Occasional Contributor II

Onguard - Staging VLAN and some questions





In order for Onguard to communicate to ClearPass so that a posture classification can be obtained, the clients needs an ip and needs to be able to reach ClearPass, at the same time the client should not be able to access the rest of the network. 


This means that i need to create a vlan to assign to endpoints when they first access the network and then bounce the port once the posture has been establish (or not, if the client does not have Onguard), to then force a different vlan. Is this the correct way of doing it, through like a quarantine vlan? 


In some instances, when the client would access the network, OnGuard would sit there doing nothing for like forever. I dont understand what is the criteria in which OnGuard trigger the collection of the posture, because if I have random client hanging there with OnGuard doing nothing, ClearPass would live the client in the quarantine. Most of the time thou as soon network connection is established Onguard kicks the posture check immediately.


This is very scary as i will need to roll this out to a couple of hundreds endpoints...


thanks in advance

MVP Guru

Re: Onguard - Staging VLAN and some questions

Can you please provide more details of what’s your issue and how are you treating (enforcement) the device when a device doesn’t meet the posture requirements

Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
MVP Expert

Re: Onguard - Staging VLAN and some questions

Is this for wired or wireless? If Aruba Wireless, you can just utilize the user-roles to enforce network access whether they are posture healthy, unknown, or quarantined. If unknown, when they go through the posture check and pass or fail, ClearPass sends a CoA to the controller and can move into different role until remediated. If you wanted, the quarantined role can also have another VLAN, which still allows DHCP, DNS and access to update or install required items to become healthy. If wired, works the same way. You can use dACLs to enforce only ClearPass access if unknown, if healthy bounce and no dACL, if quarantined, bounce and quarantined VLAN. Either way, need to make sure CoA (RFC3576) is working between them. You can test it in access tracker. Click on an active log, and I think the button is "server actions" or something like that. See if it let's you bounce the client.


Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Occasional Contributor II

Re: Onguard - Staging VLAN and some questions

aaahhhh i see what you mean. Using roles I wouldn't need to add extra VLANs (with all the hassle that go with it in terms of routing etc), but using roles i can allow access only to ClearPass. This would work for me.


Thank you, this forum is amazing.

Search Airheads
Showing results for 
Search instead for 
Did you mean: