Security

 View Only

  • 1.  Webauth service on Aruba switch

    Posted May 17, 2018 05:56 AM

    Hi,

     

    I am working on wired NAC project where, before 802.1X service kicks in, Onguard agent should check device health. I have created two services (WEBAUTH for Onguard, and RADIUS for 802.1X). 802.1X is enabled on the switch. 802.1X service is referencing Posture (EQUALS, or NOT_EQUALS HEALTHY) in Enforcement Policy.

     

    Problem I am experiencing is that in this scenario once I connect my wired client device to the network it never tries to use WEBAUTH service and gets rejected on RADIUS one. If I remove any reference to Posture in EP, both services get hit, but RADIUS first (hence removing any benefit of posture checks before authentication). I am sure I have omitted something in my EPs, but cannot see what. Thanks in advance.



  • 2.  RE: Webauth service on Aruba switch
    Best Answer

    Posted May 17, 2018 09:07 AM

    Onguard webauth application works AFTER you first authentication.

     

     

    So your first enforcement you can see "if health=unknown" enforce quarantine vlan

     

    In the quarantaine vlan ongoard agent post his checkup status to onguard webauth, and use COA bounce to reconnect.

     

    The next time you connect "if health=healthy" enforce corperate vlan.



Related Content