Security

 View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Onguard problem

This thread has been viewed 34 times

  • 1.  Clearpass Onguard problem

    Posted 3 days ago

    Hello!

    Recently I have configured a basic Onguard - Posture policy on our Clearpass to check windows Firewall and some registry state. And it is working fine in general.

    But, during on the first WLAN connection of the day the User stucks in UNKOWN(0) posture state and had to rejoin to get in HEALTHY(0). Because the WLAN connection is faster than the Onguard scan, so during the first connection the Posture state is UNKOWN(0) and based on this the client gets the quarantine ACL.

    Example log:

    What am I missing? How can I configure this to change the client state based on the Posture state change?

    Thanks



  • 2.  RE: Clearpass Onguard problem

    Posted 3 days ago



  • 3.  RE: Clearpass Onguard problem

    Posted 2 days ago

    When using Onguard there is the following dependency:
    1. First WLAN dot.1x-Auth - Posture state is UNKOWN, because no status has yet been transmitted by the agent

    2. Web-Auth by the agent - posture status is transmitted, a port bounce must occur at this point so that the posture status can be evaluated.

    3. Second WLAN dot.1x-Auth - At this point, the dot.1x service must evaluate the posture code. However, it does not see it because the dot1x-wlan service and the web-auth service do not communicate with each other.

    The trick is to activate "Use Cached Results" in the Enforcement tab.

    Then the dot.1x-Auth service can read the posture code from the endpoint cache. Then everything works as desired.




    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 4.  RE: Clearpass Onguard problem

    Posted 11 hours ago

    The tricky part is that I have configured this feature already. (Based on the official guide)

    And yet the port bounce does not happens :(

    Do I have to configure something on the AP - WLAN side? like enable Dynamic Authorization?   I did it already, and did not solve it.


    Original Message


  • 5.  RE: Clearpass Onguard problem

    Posted 10 hours ago

    Yes, I know, it's a difficult topic, but please don't give up.
    The port bounce does not happen automatically, you have to configure it. In the web-auth service you have to send either coa in a RADIUS_DynAuthZ or bounce-client in an agent-enforcement-profile. If you use coa, you must also set up Dynamic Authorization in the WLAN. With agent enforcement, the agent bounces the port on the client side independently of Dynamic Authorization. It's a matter of taste, I use the agent variant.

    Have you watched any videos of Herman? He explains it very well.

    https://m.youtube.com/watch?v=l5Rt2K8KJiE



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message