Security

Hi ClearPass gurus,

 

Please can you clarify these doubts I have with respect to the OnGuard feature?

 

1. The OnGuard datasheet says "ClearPass OnGuard is licensed on a per endpoint basis." Is it based in the number of endpoints? Let's imagine I have 100 OnGuard licenses for doing posture checks to my co-workers' endpoints. One day I have 100 co-workers' endpoints, do their job and go home. Next day I have 100 new co-workers' endpoints. Are the same licenses still valid as long as the number of endpoints being checked is less than 100?
2. All my OnGuard licenses goes to the pool and are removed from the pool according to the endpoints demand?
3. What happens when the number of licenses is exceeded? If I am checking 100 endpoints, when user 101th turns on the endpoint, can't he access the network because the number of licenses is exceeded?
4. I know there are some differences between persistent and dissolvable agents, but in terms of posture and health checks, do they support the same (antivirus, patch management, virtual machines, etc.?
5. I want to do posture checks for my co-workers who access the network through a captive portal, and I will use the dissolvable agent. A one-time check at login ensures policy compliance. If I have enabled MAC Caching on my ClearPass, when the co-worker leaves the office and comes back, he doesn't need to authenticate again through the captive portal. In this case, there isn't another check, is it? If I want to do checks every time he leaves and comes back to the office, I should disable MAC Caching, shouldn't I?

Need your help, many thanks in advance.

 

Regards,

Julián

1. Correct
2. Correct
3. There will be a UI nag and log event. No ClearPass license will prevent usage.
4. No, take a look at the user guide for the differences between the two methods
5. Correct

Hi Tim,

 

Many thanks for your quick reply. About these points:

 

3. There will be a UI nag and log event. No ClearPass license will prevent usage.

 

As an example, can we do posture checks to 150 endpoints even if ClearPass has 100 OnGuard licenses? Just there will be UI nags and logs? No CPPM UI lock? Or is there a limit of endpoints we can reach after the number of licenses has been exceeded?

 

4. No, take a look at the user guide for the differences between the two methods

 

I have been searching at the user guide but didn't find anything where says the dissolvable and persistent agents support different health checks. Attached the user guide.

 

Many thanks,

Julián

 

 

3) There are no lockouts in 6.7. However, continuing to overrun a license is a violation of the EULA.
4) Essentially it comes down to the fact that the persistent agent can auto-remediate for many things and the dissolvable can’t.

Hi Tim,

 

3) OK, clear.

 

4) That's right, I know the persistent agent can auto-remediate some thing and the dissolvable agent can't. Also the persistent agent provides nonstop monitoring while the dissolvable agent does a one-time check at login. Besides this, then I assume both agents support the same health checks (antivirus check, USB check, Disk Encryption check, etc.).

 

Regards,

Julián