Security

 View Only

  • 1.  Clearpass OnGuard agent bounce whenever the posture token changes

    Posted Mar 25, 2026 10:22 AM

    I was trying to complete one testing for ClearPass. So, OnGuard bounce should happen only when the posture token changes and only if the user comes to the office in the morning. I followed this link to achieve that: https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094532en_us&docLocale=en_US&page=index.html, but the time-based authorization is not working.

    If someone has any ideas to solve this issue, that would be really helpful.



    -------------------------------------------


  • 2.  RE: Clearpass OnGuard agent bounce whenever the posture token changes

    Posted Apr 01, 2026 03:44 AM

    As there seems no response to this question, it may be best to open a TAC case. With custom configuration like this, you would need to understand and check step by step what information is present, and what is not, from there find out the missing link to solve it. If the time source does not show up, it can be configuration error, or the attribute not being used in a role mapping or enforcement, or in your role mapping using a first-match instead of evaluate all causing the attribute not to be used. And there are many other possible cases which are much easier to find and solve with interactive access to the ClearPass server.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass OnGuard agent bounce whenever the posture token changes

    Posted Apr 14, 2026 07:02 AM

    Hi Herman,

    Thanks for your reply. I've resolved the issue now.

    -------------------------------------------

    Original Message


  • 4.  RE: Clearpass OnGuard agent bounce whenever the posture token changes

    Posted Apr 06, 2026 02:03 PM

    Hello Karthikeyan. 

    We do this by creating a custom endpoint dictionary attribute called "Last Health Status" that is updated after a health check. In the enforcement part of the health check, we compare the current health to this entry and only bounce if they are different.

    Hope that helps.

    Sincerely,

    RK

    -------------------------------------------



  • 5.  RE: Clearpass OnGuard agent bounce whenever the posture token changes

    Posted Apr 14, 2026 07:02 AM

    Hi RK,

    Thanks for your reply. I've resolved the issue now.

    -------------------------------------------

    Original Message


  • 6.  RE: Clearpass OnGuard agent bounce whenever the posture token changes

    Posted Apr 14, 2026 08:36 AM

    Can you (briefly) share what was the fix, or what was the key to get to the solution, and how you got there?

    Others may learn from it.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: Clearpass OnGuard agent bounce whenever the posture token changes
    Best Answer

    Posted Apr 14, 2026 09:12 AM

    Initially, the approach was incorrect. The following describes the final, working solution implemented to effectively manage posture status in ClearPass.

    • Custom Attribute Creation
      • A custom endpoint attribute, Last_Posture_Status, was created to store the endpoint's previous posture state.
    • Enforcement Profiles
      • Two post-authentication enforcement profiles were configured:
        • Healthy – Updates the endpoint attribute when the posture status is Healthy.
        • Unknown – Used to reset the posture status when user connect next day or after 12 hours/ cache timeout.
    • Posture Status Update
      • When OnGuard returns a Healthy posture token, the Healthy enforcement profile updates the Last_Posture_Status attribute to Healthy.
      • This enforcement profile is applied within the WebAuth service used by OnGuard, ensuring that once the posture token transitions to Healthy, the endpoint attribute is updated accordingly.
    • Posture Token Limitation
      • The posture token is not automatically cleared, which can result in the previous posture state being retained.
    • 802.1X Policy Behavior
      • A cache period of 12 hours is configured. Once the cache expires and the user attempts to reconnect to the network, the endpoint is placed into the initial role.
      • At this stage, the Unknown enforcement profile is applied, ensuring that these endpoints are forced through posture re-evaluation.
    • Policy Logic
      • A enforcement policy is configured to compare:
        • Last_Posture_Status and Current posture status
    • Decision logic:
      • If Last_Posture_Status = Healthy and current posture status = Healthy → No bounce required
      • if Posture changes or getting healthy or Quarantine =Trigger a bounce
      • If Last_Posture_status= unknown no bounce keep them on initial role
    -------------------------------------------

    Original Message


Related Content