Security

Noticing some devices are not checking in with OnGuard, not sure if anyone else has seen this issue before. 



The OnGuard Healthy enforcement profile is after I have reinstalled OnGuard. This has happened to a few devices of ours. 

Looking at logs, it looks like the OnGuard Agent wasn't able to read the conf file, therefore it did not know where to send posture evaluation.

2025-07-31 06:02:56,831 [Th 18512:18516] INFO  OnGuardPlugin - InitializeLogger: C:\Program Files\Aruba Networks\ClearPassOnGuard\ClearPassOnGuard.exe
2025-07-31 06:02:56,832 [Th 18512:18516] INFO  OnGuardPlugin.OnGuardPlugin - COnGuardPlugin: Constructor called
2025-07-31 06:02:56,832 [Th 18512:18516] INFO  OnGuardPlugin.OnGuardPlugin - AddRef: m_lRefCount - 1
2025-07-31 06:02:56,836 [Th 18512:18516] INFO  OnGuardPlugin.OnGuardPlugin - Initialize: called 
2025-07-31 06:02:56,836 [Th 18512:18516] DEBUG Common.AgentConfigHelper - GetLanguageValue: Read Language value from registry - 1033
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - GetLanguage: Language from registry - 1033
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - GetLanguage: Language - en-US
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - CTextStore: Current Language - en-US
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - CTextStore: Use Current Language true.
2025-07-31 06:02:56,838 [Th 18512:18516] WARN  Common.RegUtil - GetRegistryValue: Cannot query Registry Key Software\Aruba Networks\ClearPassOnGuard Value UseCurrentOSLanguage result=2
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG Common.AgentConfigHelper - GetUseCurrentOSLanguage: Failed to read DisablePowerShell from registry. Return value - 2
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - CTextStore: Active language - en-US
2025-07-31 06:02:58,866 [Th 18512:18516] WARN  Common.RegUtil - GetRegistryValue: Cannot query Registry Key Software\Aruba Networks\ClearPassOnGuard Value AgentConfig result=2
2025-07-31 06:02:58,867 [Th 18512:18516] DEBUG Common.AgentConfigHelper - ReadAgentConfFromRegistry: Failed to read Agent Config from registry. Error - 2
2025-07-31 06:02:58,867 [Th 18512:18516] ERROR OnGuardPlugin.AgentResourceHolder - LoadAuthServerList: Failed to read agent.conf file. Exception - Cannot open property file C:\Program Files\Aruba Networks\ClearPassOnGuard\etc\agent.conf
Trying to read agent-backup.conf file.
Failed to read agent-backup.conf file. Exception - Cannot open property file C:\Program Files\Aruba Networks\ClearPassOnGuard\etc\agent-backup.conf
Trying to read agent config data from registry.
Failed to read agent config data from registry. Data - 

-------------------------------------------

Possibly there are the following issues:

- Either agent.conf is not present or corrupted. This usually can be caused by an AV/EDR software, or tools which are used to cleanup in the C:\Program Files\Aruba Networks\ClearPassOnGuard\etc\agent.conf.

- Premission issues on the local system or the logged on account for the user with privilege's read/write in the directory. Sometimes, if you have used hardening scripts or endpoint security policies, this can cause permissions changes.

- Registry not being populated as shown in your logs: GetRegistryValue: Cannot query Registry Key ... Value AgentConfig result=2.

- Mismatched version: clearpass server is pushing onguard packages but the endpoint is failing to update successfully

So check if:
- the agent.conf and agent-backup.conf exist in C:\Program Files\Aruba Networks\ClearPassOnGuard\etc\ or in the path your onguard is installed

- compare a working versus broken machine on the HKLM\Software\Aruba Networks\ClearPassOnGuard

- Make sure NT AUTHORITY\SYSTEM and local Administrators have full control on the ClearPassOnGuard folder.

- If you're relying on GPO/SSCM/Intune to push the agent, confirm it's not stripping the config files. (there are cases that Intune profiles silently delete .conf files when not whitelisted). 

- Reinstalling works because it recreates the agent.conf. That would not scalable and it would be better to identify why this is getting this behaviour in the first place.

Also, have you notice a similar behavior happening only after a reboot / update / AV scan? That would narrow whether this is an endpoint security conflict or ClearPass deployment bug.

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
------------------------------

Original Message:
Sent: Sep 24, 2025 11:12 AM
From: Jscott1
Subject: OnGuard not processing checks?

Noticing some devices are not checking in with OnGuard, not sure if anyone else has seen this issue before. 



The OnGuard Healthy enforcement profile is after I have reinstalled OnGuard. This has happened to a few devices of ours. 

Looking at logs, it looks like the OnGuard Agent wasn't able to read the conf file, therefore it did not know where to send posture evaluation.

2025-07-31 06:02:56,831 [Th 18512:18516] INFO  OnGuardPlugin - InitializeLogger: C:\Program Files\Aruba Networks\ClearPassOnGuard\ClearPassOnGuard.exe
2025-07-31 06:02:56,832 [Th 18512:18516] INFO  OnGuardPlugin.OnGuardPlugin - COnGuardPlugin: Constructor called
2025-07-31 06:02:56,832 [Th 18512:18516] INFO  OnGuardPlugin.OnGuardPlugin - AddRef: m_lRefCount - 1
2025-07-31 06:02:56,836 [Th 18512:18516] INFO  OnGuardPlugin.OnGuardPlugin - Initialize: called 
2025-07-31 06:02:56,836 [Th 18512:18516] DEBUG Common.AgentConfigHelper - GetLanguageValue: Read Language value from registry - 1033
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - GetLanguage: Language from registry - 1033
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - GetLanguage: Language - en-US
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - CTextStore: Current Language - en-US
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - CTextStore: Use Current Language true.
2025-07-31 06:02:56,838 [Th 18512:18516] WARN  Common.RegUtil - GetRegistryValue: Cannot query Registry Key Software\Aruba Networks\ClearPassOnGuard Value UseCurrentOSLanguage result=2
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG Common.AgentConfigHelper - GetUseCurrentOSLanguage: Failed to read DisablePowerShell from registry. Return value - 2
2025-07-31 06:02:56,838 [Th 18512:18516] DEBUG OnGuardPlugin.TextStore - CTextStore: Active language - en-US
2025-07-31 06:02:58,866 [Th 18512:18516] WARN  Common.RegUtil - GetRegistryValue: Cannot query Registry Key Software\Aruba Networks\ClearPassOnGuard Value AgentConfig result=2
2025-07-31 06:02:58,867 [Th 18512:18516] DEBUG Common.AgentConfigHelper - ReadAgentConfFromRegistry: Failed to read Agent Config from registry. Error - 2
2025-07-31 06:02:58,867 [Th 18512:18516] ERROR OnGuardPlugin.AgentResourceHolder - LoadAuthServerList: Failed to read agent.conf file. Exception - Cannot open property file C:\Program Files\Aruba Networks\ClearPassOnGuard\etc\agent.conf
Trying to read agent-backup.conf file.
Failed to read agent-backup.conf file. Exception - Cannot open property file C:\Program Files\Aruba Networks\ClearPassOnGuard\etc\agent-backup.conf
Trying to read agent config data from registry.
Failed to read agent config data from registry. Data - 

-------------------------------------------