No script downloaded but when I browse the URL in the test laptop's browser I can read it so the link is working.
I think I need to troubleshoot this with the TAC help ...
Original Message:
Sent: May 29, 2024 11:56 AM
From: Herman Robers
Subject: Clearpass OnGuard Health Check local Certificate
Do you see the script being downloaded to your computer? It should end up in the 'Path of the Script'.
For me it seems like the script is not even executed, which may be permissions, which may be that the script is not there, which may be that the SHA256 checksum is incorrect. I have not tested with Windows 11, just with Windows 10. Permission checks may be even higher on Win 11.
If you can't make it work, can you please open a TAC case? They may have better troubleshooting steps to see if the script is even executed or what is the reason it isn't.... For me it works, so it's hard to think why it doesn't at your side. The concept seems to work...
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 29, 2024 10:25 AM
From: Fcbeng1202
Subject: Clearpass OnGuard Health Check local Certificate
Hi Herman,
This is what I did :
Updated Script :
# Get Machine FQDN to compare with Cert SN
$PCFQDN = [System.Net.Dns]::GetHostByName($env:computerName).HostName;
# Issuing CA to var
$CA = "CN=xxxx Issuing CA, DC=xxxxx, DC=xx";
# Threshold definition
$Threshold = 0;
# Deadline
$deadline = (Get-Date).AddDays($Threshold);
# Put $exitcode to 65 (failure) by default
$OutVar1 = 65;
# Get all the certificates from the current user's personal store
[System.Object[]]$Certs = Get-ChildItem -Path Cert:\LocalMachine\My;
# Loop through each certificate and extract the relevant properties
if ($Certs -ne $null) {
foreach ($Cert in $Certs) {
# Determine if the cert subject matches the machine FQDN
if ($Cert.Subject -match $PCFQDN) {
# Check if Issuer is xxxx
if ($Cert.Issuer -match $CA) {
# Check Expiration date
@{CertIssuer=$Cert.Issuer;CertExpire=(Get-Date($Cert.NotAfter) -Format "yyyyMMdd HH:mm:ss")} | ConvertTo-Json
if ($Cert.NotAfter -gt $deadline) {
# exitcode 0 is success
$OutVar1 = 0;
}
}
}
}
}
Exit $OutVar1;
Results are still the same and I can't get the two more vars expected (CertIssuer and CertExpire). It seems the modifications I did wre not taken into account and It is using some "cached" version. I recall also when I upgraded the laptop from Windows 10 to 11 the Posture policy didn't changed to match the new OS version ... Moreover, It is considering the Custom Script healthcheck as healthy T_T
Is there a way to completely purge the remaining cache or whatever ?
Original Message:
Sent: May 29, 2024 07:57 AM
From: Fcbeng1202
Subject: Clearpass OnGuard Health Check local Certificate
Thanks a lot Herman, I'll try to customize the powershell command (I did change the local policy on my lab machine but not sure it was kept during my tests).
Anyway no explanation about why Onguard is not downloading my script if not present in the system ...
I'll keep you posted
Original Message:
Sent: May 29, 2024 07:12 AM
From: Herman Robers
Subject: Clearpass OnGuard Health Check local Certificate
I did some testing in my lab, and it worked for me... what I did run into is the powershell execution policy, but if you mention the script runs fine locally, that may not be the issue. For me it works with the following:
Note the addition about the execution policy bypass...
And this is my adapted test script (note: I'm not a powershell expert so there may be stupid decisions/coding in there); it now includes some info as JSON that can be used in ClearPass:
# Get Machine FQDN to compare with Cert SN$PCFQDN = [System.Net.Dns]::GetHostByName($env:computerName).HostName;# Issuing CA to var$CA = "CN=ArubalabNL-CA, DC=nl, DC=arubalab, DC=com";# Threshold definition$Threshold = 365;# Deadline$deadline = (Get-Date).AddDays($Threshold);# Put $exitcode to 65 (failure) by default$OutVar1 = 65;# Get all the certificates from the current machine's personal store[System.Object[]]$Certs = Get-ChildItem -Path Cert:\LocalMachine\My;# Loop through each certificate and extract the relevant propertiesif ($Certs -ne $null) {foreach ($Cert in $Certs) { # Determine if the cert subject matches the machine FQDNif ($Cert.Subject -match $PCFQDN) {# Check if Issuer is correctif ($Cert.Issuer -match $CA) {# Check Expiration date@{CertIssuer=$Cert.Issuer;CertExpire=(Get-Date($Cert.NotAfter) -Format "yyyyMMdd HH:mm:ss")} | ConvertTo-Jsonif ($Cert.NotAfter -gt $deadline) {# exitcode 0 is success$OutVar1 = 0;} } } }}Exit $OutVar1;
This is what I see in the Posture status for the client:
Where the ExitCode of 65 is because I set the threshold to 365 / one year...
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 29, 2024 05:15 AM
From: Fcbeng1202
Subject: Clearpass OnGuard Health Check local Certificate
Did you add it as custom script for the OS type/version that you use?
Yes I did
Please see the posture info below, It seems there is something wrong executing the script on the machine (return code 256) but I can't figure out why, when I execute it manually It works fine
Please see the custom script definition as well. I tried various things such as Exitcode type integer, boolean custom output, in json and key-pair value as well but no luck until now ...
Even the download url if the script is not present on the designated path is not working ...
Thanks for your help.
Original Message:
Sent: May 28, 2024 11:51 AM
From: Herman Robers
Subject: Clearpass OnGuard Health Check local Certificate
Did you add it as custom script for the OS type/version that you use?
Do you see the script output in the OnGuard status for the client?
The output value seems fine and can be any number. You can output additional information (just print as standard command output) in the form: Attribute=Value, which you then can pick up in your Custom Onguard script definition, like:
(instead of Attribute=Value, you can also use json instead).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 28, 2024 07:38 AM
From: Fcbeng1202
Subject: Clearpass OnGuard Health Check local Certificate
Yes I agree but I wrote a powershell script like this but no success, and no luck finding if what I return is appropriate (If I follow the doc I would say yes), any advice on this would be great :
# Get Machine FQDN to compare with Cert SN
$PCFQDN = [System.Net.Dns]::GetHostByName($env:computerName).HostName;
# Issuing CA to var
$CA = "CN=xxxxx, DC=xxxx, DC=xxxx";
# Threshold definition
$Threshold = 0;
# Deadline
$deadline = (Get-Date).AddDays($Threshold);
# Put $exitcode to 65 (failure) by default
$OutVar1 = 65;
# Get all the certificates from the current machine's personal store
[System.Object[]]$Certs = Get-ChildItem -Path Cert:\LocalMachine\My;
# Loop through each certificate and extract the relevant properties
if ($Certs -ne $null) {
foreach ($Cert in $Certs) {
# Determine if the cert subject matches the machine FQDN
if ($Cert.Subject -match $PCFQDN) {
# Check if Issuer is correct
if ($Cert.Issuer -match $CA) {
# Check Expiration date
if ($Cert.NotAfter -gt $deadline) {
# exitcode 0 is success
$OutVar1 = 0;
}
}
}
}
}
Exit $OutVar1;
Original Message:
Sent: May 28, 2024 07:16 AM
From: Herman Robers
Subject: Clearpass OnGuard Health Check local Certificate
I think a custom script would be possible.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 14, 2024 10:08 AM
From: Fcbeng1202
Subject: Clearpass OnGuard Health Check local Certificate
Hi there,
I'm requesting some guidance to be able to check the presence of a local certificate in the windows machine certificate store under the "personal/Certificates" folder
The cert is provided by the ADCS with auto enroll fully configured and I would like to check the expiration date and if the cert's subject is matching the machine FQDN.
I did not see anything specific in the healthcheck options to do this so I'm guessing ... Custom script ?
Has anyone managed to do something like that ?
Many Thanks