Wireless Access

Contributor II

onguard and wired client issue


we have deployed cpmm wired with posture for wired client with cisco switches,


service is checking if the client is user auth and machine auth or not,


if yes he will get DACL "permit any"

in fot he will get limited access 

the issue , when the client boot his pc and logged in, the onguard agent doesnt work and commincate with cppm till unplug  and plug the ethernet cable again,

how can i make onguard to commincate authomatically with cppm??

thank you

Trusted Contributor I

Re: onguard and wired client issue

it is a bit dificult to understand what exactly you build.


so just to be sure. onguard requires l3 connectivity to the cppm. so usually you do radius to provide access to the network and cppm. then onguard runs and provides you with a posture. then you disconnect the client via CoA and in the next attempt the posture will be used (if you turn on use cached info).


is above what you did ? if so where does it fail?

Guru Elite

Re: onguard and wired client issue

Is your service that checks for machine/user auth requiring posture data? 

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: onguard and wired client issue

Keep this in mind:
Thank you

Victor Fabian
Lead Mobility Architect @WEI
Contributor II

Re: onguard and wired client issue

some pc's are working fine, and some of them wont comminicate till unplugg and plug the ethernet cable again, then it starts to communicate and the client right Dacl,

do i need to configure extra configuration on my cisco, i have configurd cisco as bellow:


aaa new-model
radius-server host key aruba123
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client server-key aruba123
port 3799
auth-type all
ip dhcp snooping
ip device tracking
radius-server vsa send authenticat
(config)interface vlan "ID"
ip address 192.168.X.X
ip helper-address
ip helper-address

interface range fa/gig
switchport access vlan "ID"
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x timeout supp-timeout 30
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast
lldp transmit
lldp receive



device-sensor accounting
device-sensor notify all-changes
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name parameter-request-list
option name class-identifier

device-sensor filter-list cdp list cdp-list
tlv name version-type
tlv name platform-type

device-sensor filter-list lldp list lldp-list
tlv name system-description

device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
lldp run

cdp run

Guru Elite

Re: onguard and wired client issue

You'll likely need to add an interim state that allows some access before the Onguard agent  has fully scanned the machine.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: onguard and wired client issue

If these are Windows devices, keep in mind that the time Onguard might take it will depend on a couple of things:

- Resources Available (Memory/CPU) on the Laptop

- And the different type of checks

Read this as well:



You should consider Cappali's suggestion.


Another thing you could do is increase the cache posture value 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Search Airheads
Showing results for 
Search instead for 
Did you mean: