CPE 6.

7 MOD 12 – 1

LY
N
O
Aruba Networks, a Hewlett Packard Enterprise company.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 2

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 3

LY
N
O
SE
Upon completion of this module you will have an understanding how to incorporate health checks into authentication
services and the differences between health check enforcement on layer 3 authenticated networks and layer 2
U
authenticated networks. You will be able to configure a captive portal authentication service with OnGuard health checks
and a 802.1X authentication service with OnGuard health checks.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 4

LY
N
O
SE
With so many organizations utilizing endpoint context compliance policies, it can seem like an impossible task keep up with
all the different systems. By automating the investigation process and integrating it into your authentication flow, ClearPass
U
with OnGuard will help you easily and reliably meet the needs of your organization.

In the first section you will investigate the OnGuard authentication workflow and see the points at which you can integrate
AL

OnGuard information into your services. Then you will look at the different ways you can use OnGuard can in your
enforcement rules.
N
R
TE
IN
CPE 6.7 MOD 12 – 5

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 6

LY
N
O
SE
When you are implementing authentication methods that use the posture status as part of your enforcement profiles, you
must understand where in the process the posture status can be acquired. When a new client connects to the network their
U
posture token will always start as UNKNOWN.

If you are executing a layer 3 captive portal authentication it is easy for ClearPass to gather the system health validation
AL

report before the client actually executes the captive portal. By properly formatting the Pre-Authenticated Role or ACLs
applied to the Guest port or SSID the client can get an IP address and the agent can send a Health Validation to ClearPass
while the client is still in a limited access pre-Authentication state. In this way at the time of authentication all the necessary
information has been gathered.
N

This is not the case with 802.1X authentication, which starts in a blocking state and only allows layer 2 authentication traffic
to ClearPass. The client cannot get an IP address until it has passed authentication and this means that the agent cannot
send in a Health Validation. ClearPass will not have the health validation report when it evaluates the enforcement rules.
R
TE
IN
CPE 6.7 MOD 12 – 7

LY
N
O
SE
When considering the workflow for OnGuard you have to take into account which agent you’re looking at. If you’re using
the persistent agent then regardless of the network connection the agent is installed on the system and will activate and run
U
its health checks as soon the agent notices that the client has an IP address on the network connections it is monitoring.
This means that the persistent agent is always actively attempting to find a connection to ClearPass OnGuard.
AL

|The dissolvable agent is embedded in a webpage and passed to the client. This means that there is no agent installed on
the client and the client is then prompted by a captive portal webpage to execute the Health Check. The dissolvable agent
can be used in conjunction with guest networks, Onboarding where the Health Check will happen before the user is
allowed to place there BYOD device onto the network. The key with the dissolvable agent is the client must be granted
access to the network before the agent is pushed out to the client.
N
R
TE
IN
CPE 6.7 MOD 12 – 8

LY
N
O
SE
While this is not very often used it is worth discussing the actions of the persistent agent related to open or limited access
networks. On the guest network, when a client first connects to the open guest SSID they are placed in a pre-authenticated
U
role and granted layer 3 access allowing them to get an IP address and send limited TCP traffic on the network.

| With the limited role on the Network Access Device (NAD) the client will be able to get an IP address, and make the
AL

necessary connections for the agent to send the system health validation report. The ClearPass WEBAUTH service will
read the health validation report from the agent and update the posture token.

| Next the client will request the captive portal, the user will fill out the login form which then gets posted to the NAD.
N

| The NAD will send a RADIUS request on behalf of the guest client. Guest services will handle this request in the policy
manager. Because ClearPass has already updated the endpoints profile status the guest service will have that available to
help make its decision.
R

| Based on the full context of the endpoint ClearPass is able to make an enforcement decision, such as granting guest
access.
TE
IN
CPE 6.7 MOD 12 – 9

LY
N
O
SE
A more common use of the persistent agent is on organization managed laptops with layer 2 authentication into the
network. When a client first requests access, the Network Access Device will block everything but layer 2 authentication
U
traffic. This allows the client the ability to send authentication traffic to ClearPass but not allow the agent to send in a health
check.

| The 802.1X service in ClearPass will evaluate the enforcement rules and, because the posture token is “unknown”, will
AL

instruct the Network Access Device to grant limited access only.

| With a limited role on the Network Access Device, the client will be able to get an IP address, and make the necessary
connections for the agent to send the system health validation report.
N

| The WEBAUTH service on ClearPass will read the health validation report from the agent and update the posture token.
You will need to configure the WEBAUTH service to send a terminate session message to the Network Access Device
R

forcing the client to re-authenticate.

| It is important to note here that the posture token must be cached in the service so the updated token is available for the
TE

second authentication. If you do not select the Cached Policies and Roles option on the 802.1X service Enforcement tab
the new posture status will be lost as the client re-authenticates.

| When the client sends its second authentication, the 802.1X service in ClearPass will reevaluate the enforcement rules,
IN

and this time because of the cached posture token, will assign the client a new role and grant full access.
CPE 6.7 MOD 12 – 10

LY
N
O
SE
The dissolvable agent can be used with guest networks or other limited access with captive portal networks. When a client
first connects to the network they are placed in a pre-authenticated role and granted layer 3 access allowing them to get an
U
IP address and send limited TCP traffic on the network. This limited access role also is configured to execute a captive
portal redirect, which can be for guest authentication or other portal based services such as Onboard.
AL

| With the limited role on the Network Access Device (NAD) the client will be able to get an IP address, and can pull up the
captive portal page.

| The captive portal page will send out the dissolvable agent and give the client the option to run a health check. The page
can be customized to include information such as why they need to run the health check what the implications would be if
N

they don’t such as you will not be granted access to the network.

| the dissolvable agent will run a one time scan on the client system and then upload the system health validation report to
R

ClearPass where it has to be processed by a WEBAUTH health check service, and the proper tokens will be assigned.
TE
IN
CPE 6.7 MOD 12 – 11

LY
N
O
SE
When using the dissolvable agent with an 802.1X network you have to understand how the agent gets deployed. Because
the agent operates through a webpage you have to deploy that webpage. To the client to run the health check. With
U
802.1X authentication and the dissolvable agent the client needs to be granted a limited access role that contains a captive
portal redirect to the webpage for the agent.
AL

|The process starts with a basic 802.1X authentication and enforcement based on the Unknown Posture Token and will
place the client in a captive portal enabled role.

|With the client in the captive portal role when they attempt to browse a website they will be redirected to the page with the
dissolvable agent.
N

| The captive portal page will push out the agent, and the client will be informed of the need to run the agent and given the
option to run the agent.
R

| The agent will run on the client’s machine and upload the system health validation report to ClearPass were to be
processed by a WEBAUTH service. The appropriate posture token will be assigned. And a RADIUS Dynamic Authorization
TE

will be executed forcing the client re-authenticate.

|When the client authenticates a second time the service will cache the previously set posture token and new enforcement
can be executed based on the token.
IN
CPE 6.7 MOD 12 – 12

LY
N
O
SE
Here is an example of an enforcement policy where the posture token is used as part of the decision making process. It is
best practice if you evaluate the posture tokens in enforcement and not role mapping assignments.
U
Remember, you need a WEBAUTH service to process the health check since OnGuard sends the health information using
HTTPS. To use the posture tokens obtained from the WEBAUTH service in an 802.1X service, you need to reference the
AL

cached device data obtained from the health check service.

| You can do this by enabling the use of cached posture attributes in the 802.1X service.
N
R
TE
IN
CPE 6.7 MOD 12 – 13

LY
N
O
SE
In the policy flow with posture, when a user connects to the network using 802.1X authentication, the 802.1X service
processes the authentication request.
U
| Initially, the device posture token is Unknown, so an Enforcement Profile of Quarantine Role or VLAN is assigned to the
client.
AL

| The client completes a health check using either the persistent or dissolvable OnGuard agent, and the WEBAUTH service
is used to communicate the health information. In this case, it results in a Healthy posture token. The WEBAUTH service
returns a RADIUS Dynamic Authorization Enforcement Profile forcing the user to re-authenticate and run through the
N

service flow again.

|The client re-authenticates and the 802.1X service processes the request again. However, this time the posture token is
R

Healthy because of the completed health check and a corresponding Enforcement Profile. Therefore, ClearPass sends a
full access role or VLAN to the client.
TE
IN
CPE 6.7 MOD 12 – 14

LY
N
O
SE
Now, take a look at each of these steps individually in ClearPass, starting with the device’s first authentication to the
802.1X network.
U
| When the device first authenticates, it hasn't completed a posture check yet and is assigned a posture status of
UNKNOWN.
AL

| The client is assigned to a quarantine VLAN based on the Enforcement Policy conditions that match the posture status.
N
R
TE
IN
CPE 6.7 MOD 12 – 15

LY
N
O
SE
Next, the OnGuard Persistent agent activates and performs a health check, triggering the WEBAUTH service.
U
| WEBAUTH service returns a HEALTHY posture token. ClearPass processes the Enforcement Profile

| and sends a RADIUS CoA Terminate Session message to the NAD. This causes the client to disconnect from the
AL

network, forcing re-authentication.

N
R
TE
IN
CPE 6.7 MOD 12 – 16

LY
N
O
SE
The client completes another 802.1X authentication and matches the 802.1X service. This time the system posture token
is HEALTHY as it is cached from the previous WEBAUTH request. Based on the updated posture token, ClearPass
U
assigns the “employee VLAN” Enforcement Profile to the client.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 17

LY
N
O
SE
This is false: the OnGuard agent uses TCP port 443 to transfer health validation reports to ClearPass. It does not use port
80 as it is not secure. It does use TCP port 6658 for its heartbeat
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 18

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 19

LY
N
O
SE
The posture tokens really amount to a go / no-go evaluation. When ClearPass assigns a posture token it uses one of four
generic rules. However, these rules do not discern which metrics the client health check passed or failed.
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 20

LY
N
O
SE
When doing RADIUS enforcement based on the posture token, the easiest method is to use the WEBAUTH service to
assign a healthy token to the client that passes all of the posture metrics. Then assign a quarantined token to any client that
U
fails one or more of the posture metrics. This produces a relatively simplistic evaluation, but can be quite effective when the
posture policies are kept simple.
AL

For example, if the posture policy is made up of multiple metrics you would have no indicator of which test they failed and
no way to be able to treat clients differently based on which test they failed.
N
R
TE
IN
CPE 6.7 MOD 12 – 21

LY
N
O
SE
You can have ClearPass treat different clients that fail various health check metrics in different ways. For example, what if
you had a posture policy that checked for an up to date antivirus software, if the firewall was enabled and that the client is
U
not running a peer-to-peer software. Any client that failed one of these three tasks would be assigned a QUARANTINE
posture token.

However, what if you don’t want to treat all three of these conditions the same? Perhaps the antivirus just needs to get to
AL

the internet to update the software, or the firewall is out of compliance, but is not dangerous to the network. It would be
most efficient to assign a simple quarantine VLAN or send a message to the user telling them that they need to enable
their firewall. However, the peer-to-peer software poses a threat to the network and you will want to deny access.
N
R
TE
IN
CPE 6.7 MOD 12 – 22

LY
N
O
SE
ClearPass can evaluate each of the health check metrics individually and give you the ability to write enforcement based on
which tests the client failed. In your enforcement policies the first thing you’ll want to evaluate is which posture policy was
U
applied to the client. This is to ensure that the metric you are expected to see is part of the tests
that you’ve run. The evaluation for Posture: Applied Policy: EQUALS: {Name Of Posture Policy} will ensure that you
are evaluating for the correct policy metrics.
AL

Once you’ve established which posture policy is being used, you can select the type of policy, for example Posture:
Windows Universal. Then you can evaluate the different names of the policy metrics. Once you find the metric you want to
evaluate it simply compares the operator to healthy or unhealthy. In other words, did it pass or fail the test.
N
R
TE
IN
CPE 6.7 MOD 12 – 23

LY
N
O
SE
In this example you have the best of all worlds. If the client gets a healthy token you know that it has passed all of its health
checks and should be allowed access to the network. However, if the clients token is not healthy it will fail the first rule and
U
then evaluate against the other three.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 24

LY
N
O
SE
Keep in mind, if posture evaluation is a security critical function you must evaluate the posture token in the enforcement
rules, not the role mappings. If you evaluate posture in role mappings you run the risk of evaluating against cached
U
attributes instead of the most current attributes.
--
Because of the way that ClearPass caches attributes against the endpoint for role mapping the service may actually pull in
AL

a cached attribute and not the most current posture status attribute.
N
R
TE
IN
CPE 6.7 MOD 12 – 25

LY
N
O
SE
False: there is a way to implement metric specific results into enforcement
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 26

LY
N
O
See the Lab Guide for complete instructions.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 27

LY
N
O
SE
In this lab you will modify the 802.1 X service so that the enforcement policy used by that service will evaluate the status of
U
the posture token for the corporate users computer. This also requires that the WEBAUTH service is modified to always
send a terminate session when there is a change of posture status so that the layer 2 authentication service can reevaluate
the access rights for the client.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 28

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 29

LY
N
O
SE
In task 1 the enforcement policy used in the 802.1 X service for wireless is copied and then modified to add enforcement
U
based on posture status for the corporate user computer only
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 30

LY
N
O
SE
In task 2 you modified to aspects of the enforcement tab, the first was you added the new policy to the service the second
U
and often overlooked aspect is you must use the “Cached Results” option. The Cached Results option ensures that the
policy cache for the endpoint will not be cleared out each time that ClearPass processes the service, this ensures that the
new posture status is retained during the authentication process.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 31

LY
N
O
SE
In this task you modified the health check service so that it would add the required terminate session actions/profiles to the
enforcement. This ensures that when there is a change of posture status and the service executes the enforcement actions
U
it will disconnect the client forcing the client to re-authenticate and perform a new evaluation of the access for the client
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 32

LY
N
O
SE
During testing you got to see how Access tracker can help you evaluate and troubleshoot both the service for 802.1X and
U
the WEBAUTH service for health check.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 33

LY
N
O
SE
Congratulations! You now understand how OnGuard gives you all the tools required to implement endpoint compliance
health checks into your authentication process. You now should be able to configure effective authentication services in
U
ClearPass incorporating health check results in enforcement.
AL
N
R
TE
IN
CPE 6.7 MOD 12 – 34

LY
N
O
SE
The lab provides a hands-on environment where students can practice concepts learned in the module. Additional lab time,
beyond that provided as a part of any originally packaged learning experience, is available here…
U
The Support Center provides a comprehensive set of essential resources including a Knowledge Base with search and
answers to frequently asked questions. Also, find the right tool, utility, lifetime warranty software, and documentation.
AL

Validated Reference Designs (VRDs) enable rapid deployment solutions with proven designs for common customer
scenarios.

Connect with people, get answers to questions, learn and help solve problems in the AirHeads Community. Working
professionals with a wide array of backgrounds and experience are ready to lend a hand.
N
R
TE
IN