Security

Hello,

  I'm wondering if something is possible and I'm just missing how to do it.

  Ideally, we want to do the following:

User logins to 802.1x, based on user directory attributes are given a role. (Staff, Affiliate, etc)

Then, based on their role and other attributes, we decide which role to send to the aruba controllers.

The other attributes should ideally include: Existence of their device in our enterprise inventory system (This is an SQL lookup, already have this piece working); OnGuard health status (AV enable/updated, Firewall enabled/updated); AND whether or not a specific internal application is installed.

So User A is staff, their device is in inventory, it's healthy and has the application installed, they get the controller role Staff-Managed-WithApp.  If the app is not installed they get Staff-Managed-Base.  If the device is unhealthy, regardless of App or not, they get Staff-Quarantined.  These roles then control access to various resources internally.

My question is.. is this possible?  It doesn't look like it is from what I can see in the OnGuard configuration, but maybe I'm missing something.

I think I already have that covered with the role mapping/enforcement profiles.

What I don't understand is how to handle the posture tokens so I can say

Healthy Device, WithApp = Posture Token Healthy (0)

Healthy Device, NoApp = Posture Token Whatever (5)

Unhealthy Device, WithApp = Posture Token Quarantine (20)

Unhealthy Device, NoApp = Posture Token Quarantine (20)

It seems the options are only based on whether you pass or fail ALL or One or more.  Failing this check is worth 5 points, failing this one is worth 20.

You can write individual enforcement rules based on individual OnGuard checks.

For example:

Thanks!  That was the step I didn't know was available.  Off to play.