Security

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

You can push dACL (Dynamic Access Lists) for example:
If device is healthy -> push COA with a dACL which permits the Network Share Subnet/IP/Port

If device is unhealthy -> push COA with dACL which denies the Network Share Subnet/IP/Port

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

Hi @shpat,

This is not the point.

I want to trigger the mount of the shares not allow / disallow access to the network where the share is located. The COA already does what you are saying since my quarantine network don't have any access to the shares's network.

You can push dACL (Dynamic Access Lists) for example:
If device is healthy -> push COA with a dACL which permits the Network Share Subnet/IP/Port

If device is unhealthy -> push COA with dACL which denies the Network Share Subnet/IP/Port

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

If that's the case then:

In ClearPass: Configuration -> Enforcement -> Profiles -> Add -> Template = Agent Script Enforcement. Upload/define your Windows script there. The OnGuard agent executes this after Agent Enforcement (after an optional Agent Bounce/CoA), so it will be right the hook for "If healthy -> Do this X".

OnGuard agent executes this after Agent Enforcement (after an optional Agent Bounce/CoA), so it's the right hook for "now that I'm healthy, do X."

Hi @shpat,

This is not the point.

I want to trigger the mount of the shares not allow / disallow access to the network where the share is located. The COA already does what you are saying since my quarantine network don't have any access to the shares's network.

You can push dACL (Dynamic Access Lists) for example:
If device is healthy -> push COA with a dACL which permits the Network Share Subnet/IP/Port

If device is unhealthy -> push COA with dACL which denies the Network Share Subnet/IP/Port

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

Hi,

Just to be clear, there are three types of Custom Scripts that you can deploy using OnGuard. 

1. Health Collection,
2. Auto Remediation
3. Agent Enforcement Enforcement Profile.

Based on the information that you provided above I assume that you are going to be doing a Agent Enforcement Enforcement Profile, right?

Technically you can achieve that.

Here is a sample .ps1 script that will help you achieve that, but note that you will have to make adjustments. 

# SimpleMapDrive.ps1$share = "\\fileserver\shared"$drive = "Z:"# Wait a few seconds to ensure network access after COAStart-Sleep -Seconds 10# Try to map the drivetry {    New-PSDrive -Name $drive.TrimEnd(':') -PSProvider FileSystem -Root $share -Persist -ErrorAction Stop    Write-Host "Drive $drive mapped to $share successfully."}catch {    Write-Host "Failed to map drive. Please check network access or credentials."}

When you have the script on the Endpoint, please also make sure that these attributes are filled in correctly.

Lastly, you have to make sure that you have a local admin, or a admin user in any case that will be able to execute this script on the Endpoint., which is located under Administration>External Accounts, click on Add and it should be a Domain/WMI user.

One thing left to do afterwards is to push this enforcement profile on the service that you are using and troubleshoot any issues from there.

Hopefully this will answer your question.

Cheers,

Vigan

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

Thanks Vigan,

Are you sure there is a need for an admin account ? I previously used a custom script to detect some cert on a local machine at user level and it did not seem to be required.

And since laptop are LAPS enabled this will be nearly impossible to achieve.

To me, the net use command don't need admin rights and if there is no specific restrictions on executing PS scripts it should be doable ? 

Thanks 

Hi,

Just to be clear, there are three types of Custom Scripts that you can deploy using OnGuard. 

1. Health Collection,
2. Auto Remediation
3. Agent Enforcement Enforcement Profile.

Based on the information that you provided above I assume that you are going to be doing a Agent Enforcement Enforcement Profile, right?

Technically you can achieve that.

Here is a sample .ps1 script that will help you achieve that, but note that you will have to make adjustments. 

# SimpleMapDrive.ps1$share = "\\fileserver\shared"$drive = "Z:"# Wait a few seconds to ensure network access after COAStart-Sleep -Seconds 10# Try to map the drivetry {    New-PSDrive -Name $drive.TrimEnd(':') -PSProvider FileSystem -Root $share -Persist -ErrorAction Stop    Write-Host "Drive $drive mapped to $share successfully."}catch {    Write-Host "Failed to map drive. Please check network access or credentials."}

When you have the script on the Endpoint, please also make sure that these attributes are filled in correctly.

Lastly, you have to make sure that you have a local admin, or a admin user in any case that will be able to execute this script on the Endpoint., which is located under Administration>External Accounts, click on Add and it should be a Domain/WMI user.

One thing left to do afterwards is to push this enforcement profile on the service that you are using and troubleshoot any issues from there.

Hopefully this will answer your question.

Cheers,

Vigan

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers

@shpat @vigan Thank you very much, you both deserve the "best answer" but It's not possible, I'll choose vigan for providing the PS script sorry shpat 

@vigan It works well without admin rights (if the company policy allow it) with the below configuration and your script !

Custom Agent Enforcement Script :

Webauth Service for posture Check : 

Hi there,

I was wondering if it is possible for Onguard to run a script on a machine after a device posture becomes "healthy" and the COA gives the device network access.

To be clear, I want OnGuard to trigger the mount of network shares (net use) only after the device has access to the network. 

Thank you in advance for the help.

Cheers