CPE 6.

7 MOD 11 – 1

LY
N
O
Aruba Networks, a Hewlett Packard Enterprise company.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 2

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 3

LY
N
O
SE
Upon completion of this module you should be able to design and implement secure network access with client health
checks. You will also be able to gather statistics about your client's compliance to your organizations security policies.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 4

LY
N
O
SE
Have you ever wanted to be able to guarantee that all of the network clients are up to date and current in their operating
system patches and security settings? Wouldn't the best way to implement this be through some automated system? With
U
the implementation of ClearPass Onboard you will have an automation that can give you compliance reports as well as
enforcement of your security policies.
AL

During the introduction you will gain an understanding of how ClearPass evaluates the security status of your clients. Then
you’ll look at the policies that you can put in place to ensure compliance to the organizations requirements. Next, you’ll
learn how the OnGuard agent will help you get an understanding of how the agent operates on the client. And finally you
will spend time learning to monitor OnGuard in the system.
N
R
TE
IN
CPE 6.7 MOD 11 – 5

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 6

LY
N
O
SE
The ClearPass Onboard module implements health checks and posture compliance. These functions provide the network
administrator insight into the clients’ security compliance on the network. You can use this information during network
U
access enforcement to ensure that a client is compliant with the policy in order to gain access to the network.

Posture is the term associated with network access control or NAC. You can use Posture for endpoint compliance and
AL

control. Violation of corporate policy makes a client unhealthy. The Posture of a client depends upon the presence or
absence of an application, service, or an external hardware device.

For example, you might configure ClearPass so that the presence of a firewall, anti virus and anti spyware makes the client
healthy, while the presence of bit torrent, a Bluetooth service or a USB device makes the client out-of-compliance with
N

company policies. You can use this health check information during enforcement to restrict access.
R
TE
IN
CPE 6.7 MOD 11 – 7

LY
N
O
SE
When an agent runs a health check on a client device, it returns an application token representing the health. You may
configure these tokens to take on different meaning, but here is an overview on how they’re typically used:
U
A Healthy token means that the client is compliant: in other words, there should be no restrictions on network access.
AL

A Checkup token means that the client is compliant, however, there is an update available for the client. A client can
proactively remediate to a healthy state.

When a client evaluation is in progress; a Transient token is returned. This is typically associated with auditing a client.
The network access granted in this case is interim.
N

A Quarantine token means that the client is out of compliance and should get restricted network access. This means the
R

client should only have access to the remediation servers.

An Infected token is sent when the client is infected and is a threat to other systems in the network. Network access should
TE

be denied or severely restricted.

When the client’s Posture token cannot be obtained, an Unknown token is returned. For example, this might occur if there
is no posture agent assigned to the client, or the client agent is unable to communicate with ClearPass or hasn’t performed
IN

a posture check.

___
Tokens are information about the endpoint. As the ClearPass administrator, you have the ability to interpret the tokens any
way that you wish. You can do this by writing enforcement rules to evaluate the token. For example, you could do
something like: IF the tips: Posture equals healthy THEN assign employee full access.

Whenever a client first connects to the network their posture token will always be unknown. After the agent is able to check
in the token can be updated to any one of the other five depending on conditions.
CPE 6.7 MOD 11 – 8

LY
N
O
SE
The Posture tokens assigned to the endpoints are temporary and expire in five minutes if there not an update from the
agent. If the agent is continually sending updates to ClearPass the token will continually get updated. If the client leaves the
U
network for more than five minutes the token expires and returns to an Unknown token.

This insures that when any client connects to the network the status is always unknown until the agent has time to check in
AL

and update the status. This is quite different from endpoint profile that you looked at earlier where the profile information
stays with the endpoint until it is changed.
N
R
TE
IN
CPE 6.7 MOD 11 – 9

LY
N
O
SE
There are a number of actions available based on the Posture token received. You could place clients with the Quarantine
token in a quarantine VLAN by sending a RADIUS message or SNMP message back to the NAD device. You could also
U
apply an ACL or Aruba firewall role to the user.

If the user’s Windows security patches are out of date, you could redirect the device to a remediation portal to download
AL

the requisite application, patches and hotfixes. Or you could display a simple message to contact support or IT.

Finally, if you use a persistent OnGuard agent you can auto-remediate the client to automatically enable a firewall, update
the anti-virus software or disable peer to peer applications.
N
R
TE
IN
CPE 6.7 MOD 11 – 10

LY
N
O
SE
The OnGuard agent is available in a dissolvable agent form and a persistent agent form. The dissolvable agent is web
based and does not require the user to install a permanent OnGuard application on their device. The persistent agent
U
installs an application on the user’s device.

There are some advantages to using the persistent agent, such as auto-remediation capabilities, which are not possible
with the dissolvable agent. Remember that auto-remediation helps to resolve the client’s issues by automatically enabling
AL

or disabling a function such as a firewall.

The OnGuard agent can gather health from Windows, Mac OSX and Linux clients. Furthermore, the OnGuard agent
performs a large range of posture checks, including checking for peer to peer applications, virtual machines, USB device
N

presence, etc. In light of this, most users choose to implement the OnGuard agent for posture analysis.
R
TE
IN
CPE 6.7 MOD 11 – 11

LY
N
O
SE
It is helpful to understand how an OnGuard agent interacts with ClearPass for troubleshooting. When you install the
OnGuard agent a config file called “agent.conf” is automatically installed. The config file instructs the agent which network
U
interfaces to monitor on the client and includes information on how to contact the ClearPass cluster.

| When the OnGuard agent goes active it reads the config file and begins to monitor the client’s network interface. If the
AL

agent sees one of the monitored interfaces connect to a network it will run a complete system scan and then attempt to
contact ClearPass.

| If the agent can contact ClearPass it will upload the System Health Validation report. However, if the agent cannot
contact ClearPass at one of the IP addresses in the config file, the agent will go back to sleep for a time and try again.
N

| A service inside of ClearPass will handle the request from the agent and match the System Health Validation report up to
a Posture Policy assigned to the service. The posture policy assigned to the service will analyze the System Health
R

validation report and assign the proper token to the client endpoint.

| If there are any auto-remediation instructions in the service, ClearPass will send them to the agent to implement.
TE
IN
CPE 6.7 MOD 11 – 12

LY
N
O
SE
As with other ClearPass features, ClearPass Posture Enforcement starts with an agent sending a service request to the
Policy Manager. You need to configure a Web Based Health Check service to handle this request. The service applies the
U
posture policy which you will add to the service. When creating the service, check the select button for “Posture
Compliance” to add the Posture tab to the service.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 13

LY
N
O
SE
When configuring the service, you will need to go to the Posture tab and select a Posture Policy that will apply to the
agent’s System Health Validator report. The Posture tab also has the Default Posture Token and remediation settings.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 14

LY
N
O
SE
False: Tokens are simply a piece of information just like ClearPass roles. ClearPass records the posture token for the
endpoint but in order to do anything with the token you will need to write an enforcement rule to evaluate the posture status
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 15

LY
N
O
The answer is “True”
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 16

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 17

LY
N
O
SE
You can configure the posture policies in the sidebar menu under Configuration –Posture- Posture Policy. Here you can
configure multiple posture policies for different operating systems and different networks or network requirements.
U
A service can have more than one posture policy assigned as long as two of the Posture Policies do not qualify for the
same client. When configuring the posture policy you will define the System Health Validator checks the agent needs to
AL

perform. You will also set up any instructions for remediation and rules for applying the Posture Tokens.
N
R
TE
IN
CPE 6.7 MOD 11 – 18

LY
N
O
SE
When adding a new posture policy you will need to give the policy a name and then select which operating system the
agent will run on.
U
| There is also an option to restrict the policy to only certain ClearPass roles. This would be useful where one set of
restrictions applied to a general user and another set of restrictions applied to a contractor. Based on identifications and
AL

role assignments, ClearPass could instruct the agent differently depending on the user type.

| The Posture Policy has two configuration tabs: one for the Posture Plugins and the other for the Rules.
N
R
TE
IN
CPE 6.7 MOD 11 – 19

LY
N
O
SE
On the Posture Plugins tab you will need to configure one of the plugins. The ClearPass Windows Universal System
Health Validator interfaces with the Onguard Agent. The Windows System and Windows Security Validator interface with
U
the Windows NAP agent.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 20

LY
N
O
SE
Selecting the Configure button opens the configuration page. The first configuration step for the System Health Validator is
to select the operating system.
U
In this example you can see the Windows Universal Health Validator and the operating systems that the current version
supports. You can set up more than one operating system in the same policy. During the Web Based Service process
AL

ClearPass will apply the correct policy for the operating system.
N
R
TE
IN
CPE 6.7 MOD 11 – 21

LY
N
O
SE
Once you have enabled the desired operating system, you will need to expand the different settings menus and configure
the options required.
U
| Many of the settings have the option to allow the system to check for a specific product and version or you can just check
for any valid product.
AL

| If you want the agent to auto-remediate different features you will need to select auto-remediation in the settings as well
as configure auto-remediation in the service. The auto-remediation setting in the service just executes the settings you’ve
configured.
N

| The OnGuard agent has a option for messaging where you can configure a user notification message that pops up on the
user’s screen telling them what they are in violation of, in this example the firewall. You can also configure a quarantine
masses that gets sent when the quarantine token is applied.
R
TE
IN
CPE 6.7 MOD 11 – 22

LY
N
O
SE
You can apply OnGuard tokens through a set of rules. These rules are relatively simple in scope.
U
| You have the option for “Passes all SHV checks”, “Passes one or more SHV checks”, “Fails all SHV checks”, or “Fails
one or more SHV checks”. Aruba recommends you do not assigned the transition token and the unknown token as the
system uses these.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 23

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 24

LY
N
O
SE
The OnGuard agent is a lightweight software application. There are versions for Windows®, MAC OS® or Ubuntu Linux®.
For convenience, ClearPass has the installers embedded in the application. To gain access to the settings and the
U
installers, navigate to Administration: Agents and Software Updates and select OnGuard Settings.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 25

LY
N
O
SE
On the Settings tab you will find information about the agent versions as well as other settings.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 26

LY
N
O
SE
The OnGuard agent has the option to install the Aruba VIA component. If installed the Aruba VPN client is embedded into
the OnGuard agent. While installing the agent you may be warned that any existing older Aruba VIA installations will be
U
removed. You can reinstall these after the OnGuard installation.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 27

LY
N
O
SE
The OnGuard agent operates in one of three modes. The first mode is simply an authentication supplicant. The second
mode is the classic health check agent that will send health checks to ClearPass anytime the agent can connect to
U
ClearPass.

The final mode is a combination of the other two modes where the agent operates as supplicant collecting credentials from
AL

the user to authenticate into ClearPass and then sending health checks and updates.

The settings screen is also where you configure the agent to monitor wired or wireless , and VPNs or other network
interfaces.
N
R
TE
IN
CPE 6.7 MOD 11 – 28

LY
N
O
SE
The OnGuard agent installer is simple and intuitive with very little input. The user will need to select a language and then
selects Next to complete the installation.
U
On the final screen you will have the option to run the OnGuard agent. If not the agent will run the next time the system
reboots and will continue to run on subsequent reboots.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 29

LY
N
O
SE
Once the OnGuard agent launches you can minimize the system tool tray while it runs. If you select restore you will be able
to see some of the tools available for troubleshooting. The main screen will contain the health status and connection details
U
which is a running log.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 30

LY
N
O
SE
In the agent the diagnostics screen has a drop-down list with a few tests that you can run. The most useful is the
connectivity test allowing you to test the OnGuard agent’s ability to connect to the ClearPass server.
U
| If you have firewalls in your environment between the client and ClearPass you will need to open TCP Port 6658 for the
heartbeat and TCP port 443 for the agent to communicate with ClearPass.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 31

LY
N
O
SE
The correct answers are A, B, and D. The posture tab in the service actually executes the auto remediation. And ClearPass
takes no enforcement action such as a terminate session inside the policy.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 32

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 33

LY
N
O
SE
Monitoring OnGuard is simple with the built in ClearPass tools. In the access tracker you are able to gather all of the
information that the client agent sends to ClearPass. Under OnGuard activity you can review a summary of the profile
U
information as well as send active clients a message. You can also force clients to balance their network connection
causing a new connection to the network and re-authentication. Finally, with endpoints policy caching ClearPass allows you
to see the actual status that’s assigned to the endpoint.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 34

LY
N
O
SE
When you open the Request Details option for your endpoint’s system health request in the Access Tracker, the first thing
you will see is the System Posture status. You will also be able to tell which service processed the request and if any
U
Enforcement Profiles were executed.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 35

LY
N
O
SE
While you are still in the access tracker you can select the Input tab and ClearPass will show you all of the posture request
data. This is a good way to see exactly what the agent sent to ClearPass.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 36

LY
N
O
SE
On the Access Tracker Output tab ClearPass exposes the results of the service process. You will be able to tell what the
posture response was, the results of the evaluation and any responses ClearPass sent to the agent.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 37

LY
N
O
SE
In the monitoring sidebar menu, there is a dashboard for OnGuard activity under Living Monitoring. This dashboard will
show you all of the clients that have sent ClearPass a health check.
U
| This dashboard is a great place to look for a lot of information about your endpoints. You can see the details about the
agent, the operating system on the client, the last time that there was a health check and what the results were.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 38

LY
N
O
SE
In the OnGuard Activities - Agent and Endpoint Details window you can select the Posture Info tab which will show you all
the same health check information that’s exposed in the Access Tracker.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 39

LY
N
O
SE
From the OnGuard activity dashboard you can select one or more endpoints and send a message.
U
| This function pops up a window on the client and displays the message or web link that you have sent.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 40

LY
N
O
SE
In the OnGuard Activity dashboard you also have the option to send a notification. The main difference between sending a
message and sending a notification is that with notifications you can also execute an action. This could be bouncing the
U
network interface on the client or restarting the session, forcing the client to re-authenticate.

____
AL

When you send an agent bounce action, you are actually instructing the ClearPass OnGuard Agent to disable and then re-
enable the network interface. It has the same effect as when the user goes into network settings And right-clicks on the
interface and selects “Disable” and then right-clicks again and selects “Enable”.
N
R
TE
IN
CPE 6.7 MOD 11 – 41

LY
N
O
SE
When you find and open the endpoint in the Identity: Endpoints Database, there may be a policy cache tab listed. Please
note that the policy cash is temporary and has a five minute expiration time. Any time ClearPass assigns a role or posture
U
token to the endpoint it will update this policy cache which will expire in five minutes.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 42

LY
N
O
See the Lab Guide for complete instructions.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 43

LY
N
O
SE
Lab 11 walks you through configuring OnGuard for posture checks and status. You will need to build a posture policy to
instruct the agent on what metrics to monitor. Then in enforcement at this point all were doing is reading the posture token
U
and sending a message to the client. There is a WEBAUTH service required for processing the system health validation
from the agent. And finally the agent will need to be configured and deployed.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 44

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 45

LY
N
O
SE
In task 1, you created a posture policy to check for the firewall enabled on Windows 10. This same posture policy also
assigns the posture token when interfacing with the OnGuard agent.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 46

LY
N
O
SE
Enforcement profiles are the action items in ClearPass. The agent enforcement communicates with the OnGuard agent
and in this lab just sends a message. The enforcement profiles can be configured to also instruct the agent to bounce the
U
network interface, this is helpful with health check enforcement on wired interfaces.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 47

LY
N
O
SE
In the enforcement policy you implemented a set of rules that evaluate the status of the token and apply 1 of your profiles. If
the posture policy sets a healthy token than the agent healthy profile sends a message welcoming the client to the network.
U
However, if the posture policy sets the token to quarantined than the agent gets a message informing them that they are
not in compliance.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 48

LY
N
O
SE
In the health check service, you configured the service to process all health checks and to apply the posture policy that you
had created. Take note that even though this is a health check service you still had to add the posture tab to the service in
U
order to apply the correct posture policy
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 49

LY
N
O
SE
In this task you are asked to connect to the wireless client, access the secure wireless network. Then login to ClearPass as
an administrator and then download the agent from the Agents and Software Updates section. In a production environment
U
this would not be practical however, there are many ways such as a captive portal page or group policy to push the agent
to the client.
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 50

LY
N
O
SE
In this task you are able to test your OnGuard configuration, and test the agent plus do some diagnostics.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 51

LY
N
O
SE
Congratulations! You now understand the basics for how ClearPass assigns a token to an endpoint. You also learned how
to configure the OnGuard agent in ClearPass.
U
AL
N
R
TE
IN
CPE 6.7 MOD 11 – 52

LY
N
O
SE
U
AL
N
R
TE
IN