Security

Hi Guys,

I like to understand more about Onguard, it's pre-requisites, what is installed (or not) on the client end and what it can do?

Basically, I understand that the deployment guide isn't out yet but I would like some basic questions resolved first:

1. I understand it is a NAC that can be integrated into any 802.1x switch. However, certain level of firmware version is required. But I also heard that it still can be achieve using SNMP. Is that correct?

2. I also understand that a client software needs to be installed. But there is also an option for being clientless. What is the pro and cons with or without client software installed?

1. I understand it is a NAC that can be integrated into any 802.1x switch. However, certain level of firmware version is required. But I also heard that it still can be achieve using SNMP. Is that correct?

This is correct, but the snmp option have some caveats when changing VLANs or when a device is behind a VoIP phone

2. I also understand that a client software needs to be installed. But there is also an option for being clientless. What is the pro and cons with or without client software installed?

Yes

1-      Persistent agent

provides nonstop monitoring and automatic remediation and control. When running persistent OnGuard agents, ClearPass

Policy Manager can centrally send system-wide notifications and alerts, and allow or deny network access. The persistent agent

also supports auto and manual remediation.

 

2-      Dissolvable agent is ideal for personal

non IT-issued devices that connect via a captive portal and do not allow agents to be permanently installed. A one-time check at

login ensures policy compliance. Devices not meeting compliance can be redirected to a captive portal for manual remediation.

Once the browser page used during authentication is closed, the dissolvable agent is removed leaving no trace.

What kind of switches do you have? 

 

The persistent agent also adds a ton more features like automatically killing banned applications (or not letting the device on the network if the application is installed, good example is BitTorrent). It can also detect registry keys, can shut down running VM guests, etc.

 

 

Mainly Cisco Catalyst switches. They are a mixture of C4506, C3750, C2960 and the older C2950.

How do I ensure compatibility? Assuming I have the datasheets for the switches, is there a specific feature that is required for Onguard?

You'll want to make sure they support RFC 3576
(RADIUS Change of Authorization). As far as I. know, newer cisco code supports it.

Okay, I think I may have jumped my gun. I saw and read a very helpful post at the below link:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-OnGuard-switch-requirements/td-p/42478

1. It seems that the posture agent has better support on Windows. So I can do quite a number of checks with the agent. What about the dissolvable agent? Can it do the same for all platforms? I assume that if we are directed to a captive portal, a Java-based installer gets installed to perform the mediation before it is uninstalled. Since Java can run on any platform, it should support a forms of mediation???

2. For the posture agent, how is this pushed down to each clients, assuming I have 5000 over machines? GPO?

2) you could push it down through group policy, yes. If all the machines are in your control (via AD), it might be better to use the Microsoft NAP integration.

hi,

i dont want to install onguard agent on my clinet pc,  and we dont have captive portal page,

 

can we use dissolvable agent for wireless pc connection?

 

how redirect them once they connect to network to dissolvable agent page?

 

thanks

You must have Clearpass and it will host the captive portal page.

Are there any guides available from Aruba regarding the integration with Microsoft NAP?

I hadn't heard of Microsoft NAP until reading this post.

 

Ideally, I would like the ClearPass to remain as the RADIUS server, but have the NAP clients send their status information to the CPPM.

Outside of the user guide, we don't unfortunately. NAP has actually been deprecated by Microsoft.

Oh really? Thank you for telling me that. I am glad I didn't invest to much time into it.

 

That being said, what would your recommendation be for the OP today?

 

I like the idea of this agent.

I have another tool I use to do software deployment that installs an agent. I could leverage the data stored in this tool to do "health checks". It is cool though that this agent can dynamically change the role of the device depending upon whether it is in violation or not.

This thread is very old.

What are your questions?

This thread is very old.

What are your questions?

Sorry, your right.

 

I can start another post instead of highjacking someone elses.

 

Cheers

Outside of the user guide, we don't unfortunately. NAP has actually been deprecated by Microsoft.

Okay.. RFC3576. Noted.