Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onguard Zoning Behavior

This thread has been viewed 2 times

  • 1.  Onguard Zoning Behavior

    Posted Jan 25, 2016 09:39 AM

    Lets say I have 2 zones, HQ, ZoneA in 1 cluster

    HQ:

    Subnets A,B,C override with hqzone.test.nac (virtual ip of ZoneA)

    ZoneA:

    Subnets D,E,F override with zoneA.test.nac,hqzone.test.nac (virtual ip of ZoneA and HQ)

     

     

    Question: 

    If I connect from subnet Z (onguard is reachable to clearpass) which is not defined in the onguard zoning, what will happen? which server will I be talking to? Let say my last updated was from ZoneA with the agent.conf file being "zoneA.test.nac,hqzone.test.nac, 1.1.1.1,2.2.2.2". Will my agent.conf file stay put as it is? or it will update differently?



  • 2.  RE: Onguard Zoning Behavior

    Posted Jan 25, 2016 12:35 PM

    Can I suggest you take a review of my OnGuard in a Cluster Technote.

     

    Find it here...... OnGuard in a Cluster

     



  • 3.  RE: Onguard Zoning Behavior

    Posted Jan 25, 2016 05:40 PM
    I can't find my answer. it only state it will try the list of reachable server. I want to know the sequence. can anyone help?


  • 4.  RE: Onguard Zoning Behavior

    Posted Jan 26, 2016 08:51 AM
    anyone can help? urgent, need to get back to customer.


  • 5.  RE: Onguard Zoning Behavior

    EMPLOYEE
    Posted Jan 27, 2016 06:32 AM

    Hi Ray,

     

    The client/agent will pick up the first 2 servers from agent.conf to check the rechability. If the first server is rechable, then it will download the agent settings(every time). From the agent settings the client will get to know it's own domain nodes + override(server IPs) and  update the agent.conf file in the order like domain nodes,non-domain nodes and start contacting the domain nodes based on the override for healthcheck.

     

    In your case, the client from subnet Z will get know that it doesn't have any domain nodes after reading the downloaded agent settings and just update the agent.conf with the nodes list from the agent settings and start contacting the first server to process the system health check.

     



  • 6.  RE: Onguard Zoning Behavior

    Posted Jan 27, 2016 11:18 AM
    thanks for the reply Saravaran! appreciate your reply.

    I don't understand what you mean by "update the agent.conf with the nodes list from the agent settings and start contacting the first server to process". can I say that if server 1 is reachable, and it sees that the client ip is not in the zone, it will not download the agent setting? so whatever agent.conf data will remains as it is? and it will then update the posture to the 1st reachable clearpass (base on the "previous" list) . please correct if my understanding is wrong. thanks in advance. =)


  • 7.  RE: Onguard Zoning Behavior
    Best Answer

    EMPLOYEE
    Posted Jan 28, 2016 01:15 PM

    Hi Ray,

     

    The agent settings will be downloaded every time, it doesn't matter whether the client subnet belongs to the zones or not. Whatever the nodes list/order in the agent settings will be updated to the agent.conf(replace the current order in agent.conf) and the client start contacting the servers in order from the agent settings. You can do https://<clearpass_ip>/agent/settings  to check the agent settings.