Security

I have a customer who would like to check the health status guest wireless clients connecting to their Aruba wireless network using the Onguard dissolvable agent. They want to combine this with ClearPass self-registration. I know you can do a straight-forward Onguard web portal, but the customer wants to verify the guest user exists which means some form of self-registration. Perhaps a link to the Onguard portal can be embedded into the self-registration page or login page of ClearPass?

As of today the easiest way would be to do pre-auth check with a web login then if the accounts valid assign a role that looks for the healthy token and if its missing assign a CP role to the dissolvable page.

Thanks, Troy.

 

Just a couple of questions:

 

1. The posture for a missing health token - I guess this is the 'Unknown' token?

2. Once a new role is assigned and the client is re-directed to the Onguard guest portal, would this request fall into a new Service and if so, what would be the service categorization rule for this request?

 

Thanks.

You will need to creat a Web auth service that will look for the onguard request.

 

 

In your enforcement you will want to trigger a bounce or COA and then look for the auth with a healthy token

 

Thanks again, Troy. I'll try this out in the next day or two let you know if I have any more questions.

Hi Troy,

 

I have another question for you. I've managed to get the client to self register and login to the network successfully. In the enforcement policy, CPPM sends back a role called OnGuard-Login which has a captive portal associated with it and is redirected to the OnGuard portal on CPPM. All this works fine and the OnGuard dissolvable agent runs on the client and sends back health information to CPPM. On CPPM, there is a Webauth service which checks the information coming back from the client and successfully evaluates the correct posture token. The problem is this: how can I get CPPM to send back a Radius CoA to send back a new role (guest) in the enforcement policy? When I set this up on CPPM, CPPM just doesn't send back any radius information. Is this possible? So currently the client just sits there in the OnGuard-Login role, continuously running the healthcheck and passing this information back to CPPM every four minutes.

So you will need to do a couple things.

 

1. In the health check policy you need to setup an after scan action. (snmp, COA) In my example Im using the agent so I send a bounce request the agent instead of the switch but for a web scan it could be a snmp or COA. Its up to the type of switch you are using and what is more efficient. 

 

 

2. In you service that you setup to assign the role you need to check mark  (Use cached Roles and Posture attributes from previous sessions) so when the device reconects you will have a posture toke associated with it.