Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to Configure ClearPass to Block Devices Without OnGuard Installed?

This thread has been viewed 5 times

  • 1.  How to Configure ClearPass to Block Devices Without OnGuard Installed?

    Posted 2 days ago

    Hi everyone,

    I'm currently working on securing our network with ClearPass and need to ensure that only devices with OnGuard installed are allowed access. Can anyone guide me on how to create a rule in ClearPass that checks if the endpoint has OnGuard installed and blocks those that don't?

    I've got the basics of ClearPass configuration down, but I'm a bit stuck on setting up this specific enforcement policy. Any detailed steps or resources would be greatly appreciated!

    Thanks in advance for your help!



  • 2.  RE: How to Configure ClearPass to Block Devices Without OnGuard Installed?

    Posted yesterday

    Hi

    The Onguard client must be able to send the device status to ClearPass, thus you can't deny access completely to clients that haven't reported a valid posture. Instead you can apply a role that only allow DHCP, DNS and access to ClearPass for the web authentication to take place.

    In general terms the Onguard process works like this:

    1. Successful 802.1x authentication but unknown posture status: Return a limited role
    2. Web authentication to report posture: Perform CoA after the web authentication to initiate new 802.1x authentication
    3. Successful 802.1x authentication, known posture status: Return desired role.
      The 802.1x service must have the option "Use Cached Results" enabled under the Enforcement tab otherwise the service can't utilize the posture status from the previous web authentication.

    How you apply the first limited role differs depending on how your clients connects to the network and from what type of equipment. If the client connects from a wired connection and the switch is capable of Downloadable User Roles (AOS 2540, 2930F/M and 5400 or CX 6200-6400) you can apply a DUR. Same if it's a wireless client connecting to an Aruba SSID. But if the client connects from an Aruba switch that doesn't support DUR you have to apply the restriction in another way. Depending on the switch this can be different methods.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message