Security

 View Only

  • 1.  Different Posture Policy for a single test machine

    Posted Oct 08, 2025 08:15 AM

    Hello, i hope everyone is having a great day,

    I am trying to use a different Posture Policy for a single test machine, i tried creating another WebAuth service with the following config, but its not working

    This service order is prior to the general OnGuard_Service, but when i test, its not matching at all

    Is there any other solution

    Thanks



    -------------------------------------------


  • 2.  RE: Different Posture Policy for a single test machine

    Posted Oct 08, 2025 08:35 AM

    Hi

    If you check the Input attributes of the request you will probably see that the MAC address isn't presented as an attribute in a web-based authentication. (If I remeber correct)

    Thus you are not matching the service filter.

    What are you trying to achive?

    The web based authentication only report the Posture status to ClearPass, who trigger an Dynamic Authorization (CoA). In the following 802.1x authentication the status is utilized to assign roles and enforcement profiles.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Different Posture Policy for a single test machine

    Posted Oct 08, 2025 09:46 AM

    Hi Jonas, 

    Well i found the issue, it was a rookie mistake, i didn't check 'Matches ALL the following conditions":

    It is working now, the service is matching

    The general idea is that the client requested to block windows 10 machines from connecting. i suggested removing them (Unchecking Windows 10) from the posture policy, so all Windows 10 machines will report the Quarantine Posture Token, thus they will stay in the Quarantine VLAN

    And the client asked me to test this on a single machine

    -------------------------------------------

    Original Message


  • 4.  RE: Different Posture Policy for a single test machine

    Posted Oct 08, 2025 09:05 AM

    Hi man,

    Easiest way to fix this is to basically TAG (Role) the machine via your 802.1X authentication service, and use cached roles and attributes and utilize the role to trigger the posture policy for the endpoint. 

     And the service could be triggered by the username, or the MAC address as you can see here.

    Hopefully this clarifies your issue.

    Cheers,

    Vigan

    -------------------------------------------



  • 5.  RE: Different Posture Policy for a single test machine

    Posted Oct 08, 2025 09:39 AM

    Brilliant ide!



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 6.  RE: Different Posture Policy for a single test machine

    Posted Oct 08, 2025 09:48 AM

    Hi Vigan,

    Thanks, i am going to apply it

    -------------------------------------------

    Original Message


Related Content