The VPN functionality should then work. Symptom: The ClearPass OnGuard Unified Agent does not automatically launch the application after auto-upgrade on Mac OS X. Scenario: This occurs on Mac OS X 10.10. Workaround: Launch the ClearPass OnGuard Agent manually after auto-upgrade. Symptom/Scenario: The physical LAN network IP address is removed or disabled soon after installing. ClearPass OnGuard uninstalled successfully. Click OK button to exit. Chess FaceTime Launchpad Thu 1:10 PM O: DVD Player C) iTunes Dashboard iBmks Dictionary Image Capture uninstaller File Edit Format View Window Help Thu 12:59PM Q O AirDrop Recents Cloud Drive App 'cations Desktop 3 Documents Downloads O Remote Disc HTopi's Ma.
You are here: Known Issues Identified in Previous Releases > OnGuard
Memory utilization for ClearPass OnGuard depends on the Health Classes configured and the type of Windows OS; however, the minimum requirement for ClearPass OnGuard running on a Windows platform is 90 MB. |
Bug ID | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
#12342 | The OnGuard agent fails to collect health on Windows 8 if VMware Server 2.0.2.X is installed. | ||||||||
#13164 | Symptom: The hardware installation pop-up dialog appears to stop installing the ClearPass OnGuard Unified Agent for VIA+OnGuard mode. A warning message similar to “The software you are installing... has not passed Windows Logo testing” might be displayed during installation. Scenario: This might occur during the installation of the ClearPass OnGuard Unified Agent on Windows XP and Windows 2003 SP2. Workaround: Users should click Continue Anyway to proceed. | ||||||||
#13363 | Symptom: On Mac OS X, the current version of the ClearPass OnGuard Unified Agent VPN component does not show some VPN-related information—for example, tunnel IP assigned by the controller, packet count, or diagnostic details. Scenario: This occurs on Mac OS X. It does not occur on Windows OS. | ||||||||
#13929 | At times, OnGuard may fail to detect peer-to-peer applications, such as /uTorrent, on Windows 2008 R2. | ||||||||
#13935 | OnGuard does not support enabling or disabling the Windows Update Agent Patch Management Application. | ||||||||
#13970 | After anti-virus software is installed, the system must be rebooted before using ClearPass OnGuard. | ||||||||
#14196 | ClearPass OnGuard will not be able get the correct status of 'Software Update' PM application on Mac OS X, if “Check for updates” and “Download updates automatically” are not toggled at least once. | ||||||||
#14673 | The OnGuard Agent for Mac OS X does not support bouncing of a VPN Interface other than the Aruba VPN Interface (version 6.1). | ||||||||
#14760 | In some cases, OnGuard fails to connect to the ClearPass appliance from a wired interface if the VPN is connected from a trusted network. | ||||||||
#14842 | Installing the ClearPass OnGuard Unified Agent removes an existing VIA installation. To continue to use VPN functionality, go to Administration > Agents and Software Updates > OnGuard Settings and select Install and enable Aruba VPN component from the drop-down list. | ||||||||
#14996 | If McAfee VE is running on Windows XP, the ClearPass OnGuard Unified Agent VPN will not work. | ||||||||
#15072 | VIA connection profile details are not carried forward after upgrading from VIA 2.0 to ClearPass OnGuard Unified Agent 6.1.1. | ||||||||
#15097 | The ClearPass OnGuard Unified Agent does not support installation of a VPN component on Mac OS X 10.6. | ||||||||
#15156 | VPN configuration is not retained after upgrading to the ClearPass OnGuard Unified Agent using MSI Installer on a 64-bit Windows system. | ||||||||
#15233 | On Win 7 (64 Bit), upgrading an existing VIA 2.1.1.X to the ClearPass OnGuard Unified Agent can lead to an inconsistent state. Users should first uninstall VIA and then proceed with the ClearPass OnGuard Unified Agent installation. | ||||||||
#15351 | Symptom: The state of the Real_Time Scanning button in the Trend Micro Titanium Internet Security for Mac OS X is not updated. Scenario: This is observed when the ClearPass Unified OnGuard Agent has Real Time Protection (RTP). Workaround: Close the UI using Command +Q and restart. | ||||||||
#15586 | Symptom: The ClearPass OnGuard 6.2 dissolvable agent does not support the following new health classes on Mac OS X: Processes, Patch Management, Peer-To-Peer, Services, USB Devices, and Disk Encryption. The dissolvable agent (DA) does not display these health classes as remediation messages in the user interface because java binary sdk support is not included. Scenario: The client will be unhealthy if any of the health classes listed above are configured and performing a health scan via the DA. | ||||||||
#15986 | ClearPass OnGuard returns the product name of “Microsoft Forefront Endpoint protection” AntiVirus as “Microsoft Security Essential”. | ||||||||
#16181 | Symptom: The command level process can be detected using the path “none” but the application level process can't be detected by setting the path to ”none”. Scenario: This applies to Mac OS X. Workaround: The application-level process health should be configured with the path set to Applications > Firefox.app. | ||||||||
#16550 | Symptom/Scenario: The ClearPass OnGuard Unified Agent does not support checking of disk encryption state using the MacKeeper (ZeoBIT LLC) Disk Encryption Product on Mac OS X. This causes the client to be treated as healthy even if none of the disk is encrypted. Workaround: There is no workaround at this time. | ||||||||
#18281 | The ClearPass OnGuard configured health quiet period is supported in Health only mode. It doesn’t work in Auth+Health mode. | ||||||||
#18341 | Symptom/Scenario: OnGuard cannot start a process on Mac OS X for non-administrative users. Workaround: The user must have root privileges to start process-level health checks by OnGuard on Mac OS X. | ||||||||
#19019 | The network interface will be bounced twice (once immediately, and once after the configured interval) when the log-out/bounce delay parameter is configured. This is expected behavior; the first bounce is required to end the existing session. | ||||||||
#20316 | OnGuard’s Health Check Quiet Period is applicable per network interface. If a machine has more than one network interface, then each interface will have its own Health Check Quiet Period duration. | ||||||||
#23470 | Symptom/Scenario: On a Japanese OS, when upgrading from VIA 2.1.1.3 to the ClearPass OnGuard Unified Agent, a known issue with uninstalling VIA displays a message asking the user to select the VIA driver. This does not occur on an English OS. | ||||||||
#23636 | Symptom: The value of the Posture:Applied Policy attribute is not correctly displayed in the Access Tracker for posture policies carried over from releases earlier than 6.3.0. Scenario: This has been observed when upgrading from 6.2.6 to 6.3.2. Workaround: This can be corrected by manually saving the affected posture policy once after upgrade. | ||||||||
#24986 | Symptom: The Native Dissolvable Agent is not automatically launched after downloading and running the agent the first time on the Chrome browser. Scenario: This occurs on Windows and on Mac OS X. Workaround: The first time you launch the Dissolvable Agent, click Launch ClearPass OnGuard Agent. | ||||||||
#25827 | Symptom/Scenario: On Internet Explorer 8, when the security warning message asks whether you want to view only the content delivered through a secure HTTPS connection, the behavior is not as expected. Workaround: For the Native Agent flow to work correctly, click No in the pop-up dialog. | ||||||||
#26224 | Symptom/Scenario: Some combined products that include both antivirus and anti-spyware (for example, McAfee VirusScan Enterprise + AntiSpyware Enterprise) are not shown in the AntiSpyware Posture configuration. Workaround: Add products like this only in Antivirus. Both the AntiVirus and AntiSpyware values are the same. | ||||||||
#27134 | Symptom: OnGuard does not support dynamic switching between logged-in users on an Ubuntu client. | ||||||||
#27599 | Symptom: The OnGuard logo is not shown on the desktop on Ubuntu. Scenario: On the Ubuntu OS, the OnGuard logo is not visible on the desktop at first. The logo will be updated automatically after the desktop is refreshed. | ||||||||
#27876 | Users should be aware that RADIUS CoA over VPN is not supported on Ubuntu. | ||||||||
#29243 | Symptom: The Unified Agent fails to disable other types of network connections when “Allow Only One Network Connection” is selected. Scenario: Users should be aware that the ClearPass OnGuard Unified Agent for Windows does not support disabling USB data card/modem type network interfaces. | ||||||||
#29598 | Symptom: OnGuard does not stop or pause VM Player 7.x virtual machines. Scenario: Users should be aware that the ClearPass OnGuard Unified Agent does not support auto-remediation for Guest VMs running on VMware Player. | ||||||||
#30106 | Symptom: On Mac OS X, the native and Java dissolvable agents do not get the RTP status of ESET Cyber Security Antivirus 6.x. Scenario: Users should be aware that the ClearPass OnGuard Native Dissolvable Agent for Mac OS X does not support the RTP Status check for ESET Cyber Security and ESET NOD32 Antivirus. | ||||||||
#30243 #30212 | Symptom: The ClearPass OnGuard Unified Agent fails to load on Windows Server 2003, and does not support VPN, Auto Upgrade, or SSO on Windows XP or Windows Server 2003. Scenario: Users should be aware that Microsoft stopped supporting Windows Server 2003 on July 14, 2015, and stopped supporting Windows XP on April 8, 2014. Workaround: Windows 2003 server and XP machines are required to update the Microsoft root CA certificate or missing trust certificates in order to load the OnGuard user interface properly. The following Microsoft knowledge base article provides information, as well as a link to the hotfix download that needs to be installed in order to enable certificate support with the SHA-256 algorithm: https://support.microsoft.com/en-us/kb/968730. | ||||||||
#30381 | Symptom: The ClearPass OnGuard Unified Agent might not be able to detect the installation of certain Windows updates that are not visible in Control Panel > Programs and Features > View installed updates. Scenario: These are updates that might not use an installer or cannot be removed. Some examples include the Windows Malicious Software Removal Tool, certain Windows Defender updates (but these are validated through AntiVirus health class), and foreign language input method editor (IME) files. Workaround: There is no workaround at this time. | ||||||||
#30618 | Symptom: The ClearPass user interface may become unavailable after installing ClearPass OnGuard hotfix patches due to a service restart. Workaround: Log in to the ClearPass CLI using the appadmin account, and restart cpass-admin-server using the ‘service restart cpass-admin-server’ command. This will only affect the GUI and not the availability of ClearPass services (for example, RADIUS). | ||||||||
#31734 | Symptom/Scenario: When both the wired and wireless interfaces are connected, the ClearPass OnGuard Dissolvable Agent sometimes picks the wrong interface to perform health checks. | ||||||||
#31893 | Symptom/Scenario: Although Windows 10 does not support the Network Access Protection (NAP) platform, Windows 10 is still listed in the Windows System Health Validator and Windows Security Health Validator plugins for OnGuard at Configuration > Posture > Posture Policies > Posture Plugins tab. | ||||||||
#32590 | Symptom/Scenario: The ClearPass OnGuard Unified Agent stops performing health checks on clients where AVG Anti-Virus Free Edition 2016.x is installed. Workaround: Perform the following steps to resolve the issue.
rename 'c:Program FilesAVGAvavgwdsvcx.exe' avgwdsvcx.exe.org taskkill /F /IM avgwdsvcx.exe
rename c:ProgramDataAvgAVDBstats.db stats1.db
rename 'c:Program FilesAVGAvavgwdsvcx.exe.org' avgwdsvcx.exe sc start avgwd | ||||||||
#33332 | Symptom: The Java Dissolvable Agent guest portal page hangs. Scenario: This occurs when the user clicks Continue on the Security Warning dialog after installing or upgrading to JRE 8u73. This is not an issue with current Java versions. Workaround: Upgrade to the latest JRE version. | ||||||||
#33458 | Symptom/Scenario: If there are more than two auto-connect SSIDs configured, a Windows OS will sometimes keep connecting to these SSIDs after the OnGuard Agent disconnects the wireless interface. | ||||||||
#33532 | Symptom/Scenario: When the ClearPass OnGuard Agent for Windows is running in Service mode, the Retry button is sometimes disabled and an incorrect system tray icon is shown. Workaround: Quit OnGuard and relaunch it. | ||||||||
#34571 | Symptom/Scenario: The Java-based Dissolvable Agent sometimes does not show health check results on Windows in the Firefox browser. Workaround: Rebooting the system or clearing the browser cache might fix the problem. | ||||||||
#34744 | Users should be aware that the Dissolvable Agent flow might not work with the latest Google Chrome versions (49.x and later) on the following operating systems because Google no longer supports Chrome on these platforms: Windows XP, Windows Vista, and Mac OS X 10.6, 10.7, and 10.8. | ||||||||
#34829 | Symptom: The ClearPass OnGuard Unified Agent's Retry and Login buttons sometimes become inactive if the network interface is disabled or disconnected. Scenario: This occurs on Windows operating systems, and is only seen in Service mode. Workaround: Quit and relaunch the OnGuard Agent. | ||||||||
#34987 | Symptom/Scenario: If the VPN component is enabled on the ClearPass OnGuard Unified Agent, multi-user (switch user) use cases are not supported. | ||||||||
#36208 | Symptom: Double backslash characters ( ) are shown in the Access Tracker for the Path and Command attributes of the Agent Script Enforcement profile, but users should only enter a single backslash character ( ). Scenario: On the Monitoring > Live Monitoring > Access Tracker > Output tab for an Agent Script enforcement profile, the Application Response area shows double backslash characters instead of single backslash characters in Path and Command attribute values. This is normal display behavior for this form and is not an issue. Users should be aware that, when creating an attribute, only single backslash characters may be entered in attribute values. Although a double backslash is displayed in these attribute values on the Output tab, the value sent to OnGuard uses the single backslash. | ||||||||
#36334 | Symptom: The Native Dissolvable Agent does not launch automatically after it is installed, and if the user clicks “Launch ClearPass OnGuard Agent” it again prompts the user to download the Native Agent. Scenario: This issue has been observed mostly on Firefox versions 48.x and 49.x. Workaround: In the Firefox menu, click the Add-ons link and then select Plugins in the left menu. The Native Dissolvable Agent will then launch automatically. | ||||||||
#36354 | Symptom: The Native Dissolvable Agent does not launch automatically after it is downloaded and run for the first time on the Firefox browser. Scenario: This occurs on the Firefox browser for both Windows and Mac OS X. Workaround: When the agent is launched for the first time , click “Launch ClearPass OnGuard Agent” to launch it manually. | ||||||||
#37354 | Symptom: The Java Dissolvable Agent does not work with the Safari browser on macOS 10.12. Scenario: When trying to perform health checks using the Java Dissolvable Agent, after the applet opens OnGuard stops and does not perform the health checks. This is due to recent changes in the Safari browser, and is not an issue with ClearPass. Workaround: None. | ||||||||
#37393 | Symptom/Scenario: After the RTP status of AhnLab V3 Endpoint Security AntiVirus is enabled on Korean Windows 7 as part of auto-remediation, the ClearPass OnGuard Unified Agent takes a few seconds to detect the RTP status as Enabled. | ||||||||
#37531 | Symptom:The ClearPass OnGuard Unified Agent fails to enable the Real-Time Protection (RTP) method of Symantec Endpoint Protection 14.x (SEP14). Workaround: In Symantec Endpoint Protection, go to Change Settings > Client Management > Tamper Protection and un-mark the Protect Symantec security software from being tampered with or shut down check box. | ||||||||
#37539 | Symptom: The ClearPass OnGuard Unified Agent cannot install missing patches using the Microsoft Windows Update Agent if the patch has an empty value in the KBARTICLEID field. Scenario: This issue is seen on Windows 10 LSTB 14393 Build 2016. | ||||||||
#37939 | Symptom: The Native Dissolvable Agent does not work in the Firefox browser. Scenario: The Native Dissolvable Agent for Windows does not support the 64-bit version of the Firefox browser. Workaround: Use the 32-bit version of Firefox browser instead. | ||||||||
#38141 | Users should be aware that the Java-based OnGuard Dissolvable Agent is no longer supported on Windows, MacOS, or Ubuntu systems. Only the Native OnGuard Dissolvable Agent workflow will be used for those platforms in the 6.6.5 release and future releases. | ||||||||
#38208 | Symptom: After the ClearPass OnGuard Unified Agent is installed it does not automatically display the VIA profile download dialog. Scenario: When a non-administrator user is logged in and tries to install the agent, they are prompted to provide administrator credentials. When they do, the agent installs, but the VIA profile download dialog does not open. Workaround: To download the VIA profile, go to the Details tab. In the Change Detail Type drop-down list, select Connection Details, and then click the Download button. Enter the server details and credentials in the Login window. | ||||||||
#38303 | Symptom/Scenario: The ClearPass OnGuard Unified Agent does not support updating Symantec Endpoint Protection 14.x as part of auto-remediation. | ||||||||
#38403 | Symptom: The Native Dissolvable Agent does not work in the Firefox browser on macOS. Scenario: After installing OnGuard through the Firefox browser, the “Install OnGuard” dialog does not open and the plugin cannot be found. This has been observed in the Firefox browser on Mac OS X 10.10 and macOS 10.12. Workaround: Use the Safari or Chrome browser instead. | ||||||||
#38976 | Symptom: The ClearPass OnGuard Native Dissolvable Agent is not supported on Firefox versions 52.x and later. This is because of recent changes in the Firefox browser itself. Scenario: This has been observed on MacOS, Windows, and Linux operating systems. Workaround: Use the Google Chrome, Internet Explorer (IE), or Safari browsers instead. | ||||||||
#39148 | Symptom: Attempting to update from 6.6.4 to 6.6.5 using the Cluster Update page fails and displays the error message “certificate common name ... doesn’t match requested host name.” Scenario: If you are upgrading a cluster from 6.6.4 to 6.6.5, the Cluster Upgrade page only works if the publisher's certificate includes the publisher’s IP Address in the Common Name (CN). This only occurs when updating from 6.6.4 to 6.6.5. It is not an issue when updating from other versions. Workaround: If the publisher’s certificate does not include the publisher’s own IP address, manually update the cluster instead of using the Cluster Update page. |
OnGuard Endpoint Health License for Aruba ClearPass Policy Manager
OnGuard License for Aruba ClearPass Policy Manager - 100 devices
#JW568AAE
List Price:$2,250.00
Our Price: $2,025.00
List Price:
Our Price: $2,025.00
OnGuard License for Aruba ClearPass Policy Manager - 500 devices
#JW569AAE
List Price:$11,250.00
Our Price: $10,125.00
List Price:
Our Price: $10,125.00
OnGuard License for Aruba ClearPass Policy Manager - 1,000 endpoints
#JW570AAE
List Price:$18,000.00
Our Price: $16,200.00
List Price:
Our Price: $16,200.00
Overview:
ClearPass OnGuard agents perform advanced endpoint posture assessments, on leading computer operating systems to ensure compliance is met before devices connect. Running on the Aruba ClearPass Policy Manager platform, the advanced network access control (NAC) framework in ClearPass OnGuard offers exceptional safeguards against vulnerabilities.
The following operating systems and versions are supported:
- Microsoft – Support for Windows 7 and above.
- Can be run as a service. - Apple – Support for Mac OS X 10.7 and above.
- Linux – Support for Red Hat Enterprise Linux 4 and above, Ubuntu 12.x LTS and 14.x LTS, Community Enterprise Operating System (CentOS) 4 and above, Fedora Core 5 and above, and SUSE Linux 10.x.
Supported agents:
OnGuard Persistent Agent | OnGuard Dissolvable Agent | Microsoft’s NAP Agent |
---|---|---|
Microsoft | ||
Apple | ||
Linux | * |
Note: Auto-remediation only supported by persistent agents
* Persistent agent supported on Ubuntu endpoints running 12.x LTS or 14.x LTS
* Persistent agent supported on Ubuntu endpoints running 12.x LTS or 14.x LTS
Automate health checks and posture assessments
In addition to system-wide per-session NAC protection, you can specify whether to allow or deny peer-to-peer applications or USB storage devices. Network access can be denied if storage is not encrypted and IT can be sure that laptops brought to the help desk have the latest patches and hot fixes.
Ensure device compliance before they ever connect
You can automatically remediate or quarantine endpoints that are not in compliance with corporate posture policies. Using the administrator dashboard, it’s easy to keep an eye out for non-compliant devices, users, and the reasons for non-compliance.
BYOD and IT-issued devices
Persistent agents allow for automated remediation for IT-issued devices while BYOD and guests can use a dissolvable agent that’s automatically uninstalled once the device is cleared.
Operating system support
ClearPass OnGuard is capable of supporting a wide range of mobile device operating systems, including Windows, Mac OS X, and popular Linux versions.
Features:
- Enhanced capabilities for endpoint compliance and control
- Supports Microsoft, Apple, and Linux operating systems
- Anti-virus, anti-spyware, firewall checks and more
- Optional auto-remediation and quarantine capabilities
- System-wide endpoint messaging, notifications and session control
- Centrally view the online status of all devices from the ClearPass Policy Manager platform
Advantage:
In addition to anti-virus, anti-spyware and personal firewall audits performed by traditional NAC products, OnGuard agents can perform additional posture and health checks, to ensure a greater level of endpoint compliance.
Persistent and dissolvable agents
The difference between the two is that the persistent agent provides nonstop monitoring and automatic remediation and control. When running persistent OnGuard agents, ClearPass Policy Manager can centrally send system-wide notifications and alerts, and allow or deny network access. The persistent agent also supports auto and manual remediation.
Alternatively, the web-based dissolvable agent is ideal for personal, non IT-issued devices that connect via a captive portal and do not allow agents to be permanently installed. A one-time check at login ensures policy compliance. Devices not meeting compliance can be redirected to a captive portal for manual remediation.
Once the browser page used during authentication is closed, the dissolvable agent is removed leaving no trace.
Automatic remediation
If unhealthy endpoints do not meet compliance requirements, the user receives a message about the endpoint status and instructions on how to achieve compliance if auto-remediation is not used.
Messages can include reasons for remediation, links to helpful URLs and helpdesk contact information. ClearPass persistent agents provide the same message and remediation capabilities for 802.1X and combined environments.
Persistent and dissolvable agents can be used for endpoint health checks.
IT-managed and BYOD endpoint compliance
OnGuard persistent and dissolvable agents can be used together in environments where endpoints are owned by the organization, employees and visitors. This ensures that all devices are assessed and granted proper privileges before accessing the network.
Detailed Mac OS X quarantine messages.
Complete endpoint visibility
To simplify troubleshooting, endpoint control and compliance reporting, ClearPass Policy Manager offers the ability to centrally managed health-check settings and policies. Views of ClearPass OnGuard activity, including user and device data show information about each device that connects using OnGuard agents.
Centralized view of endpoints OnGuard activity.
Real-time endpoint compliance
Depending on operating system type OnGuard performs the following level of posture and health checks.
Windows | Mac OS X | Linux |
---|---|---|
Installed Applications | ||
AntiVirus | ||
AntiSpyware | ||
Firewall | ||
Disk Encryption | ||
Network Connections | ||
Processes | ||
Patch Management | ||
Peer to Peer | ||
Services | ||
Virtual Machines | ||
Windows Hotfixes | ||
USB Devices | ||
File Check |
* Chart represents ClearPass version 6.6 functionality.
** Disclaimer: Not all checks are supported across operating systems and agent type.
** Disclaimer: Not all checks are supported across operating systems and agent type.
Comprehensive Endpoint Assessments:
Full endpoint protection
- Auto-remediation ensures that anti-virus and anti-spyware protection are up to date.
- Verifies firewall status with optional auto-remediation.
- Ensures that Windows Automatic Updates is running.
- Supports Windows Health Validator plugin.
- Operating system fingerprinting verifies that approved images are installed.
Advanced posture assessments
- Runs anti-virus, anti-spyware, and firewall audits for product, engine and data versions, and checks when scans where last performed.
- Identifies approved peer-to-peer applications, registry keys, and system processes.
- Approves the use of USB storage devices.
- Checks for up-to-date Microsoft service packs and patches.
- Use with external patch management applications – Altiris, BigFix, Creston, Lumension, Microsoft, Norman and Shavlik.
- Limits the use of client VM applications.
- Remote desktop sessions can be controlled (allowed/denied).
- Grants permission to use client-side hotspot software.
Visibility and control
- Endpoint enforcement via static route assignment.
- Send notification messages to endpoints or groups
of endpoints. - Devices can be bounced from the network or denied access.
Solutions:
Security Considerations for Next Generation Network Access and Endpoint Compliance
The dangers of endpoints connecting to the network before scanning for device health. Endpoint compliance assessments are critical for today’s mobile workforce environment. Employees, contractors, and guests treat IT-issued laptops as if they own them. Meanwhile, bring your own device (BYOD) has become popular due to convenience, cost savings and IT offload. Unfortunately, user behavior and connecting these devices to enterprise networks is a growing concern that adds potential threats.
Legacy network access control (NAC) required IT to install supplicants and agents on IT-issued computers to ensure the latest A/V software was updated and scanned. Next generation endpoint compliance allows for the automation of configuring devices, with little IT hassle, with improved policy creation and enforcement. Endpoint type will include laptops and desktops, smart phones, and tablets.
In this paper, we’ll discuss how and where new generation endpoint compliance should be enforced as well as additional considerations that are critical for ensuring a secure network.
NAC Re-Invented
Early issues with deploying NAC are a thing of the past — in fact, there’s no longer a need to distribute supplicants. Devices come with usable supplicants and the distribution of agents is automated today.
Next generation endpoint compliance is “IT lite” because agents can be automatically pushed to the client. Today’s NAC solutions are typically used to distribute agents to computers and enterprise mobile management (EMM) solutions are used for distributing agents to smart phones and tablets. In both scenarios, the policy management component within a NAC solution will be used to enforce network access privileges. The goal is to perform the assessment before full access privileges are granted.
This ease of deployment has lifted a significant burden off of IT that otherwise would have hampered implementation. More importantly, today there are many features that are available within a NAC solution that solve the security implications of a mobile workforce.
Basic Features of an Endpoint Compliance Solution
Today, endpoint compliance means much more than just checking for traditional anti-virus and firewall status. IT can now require and control the use of many more variables that have been implicated in breaches. This can include controlling USB ports, P2P file share blocking, spyware updates, patch/hotfix management, and more.
Additionally, today’s NAC solutions can be configured so that features run in the background. Real-time assessments can trigger auto-remediation to change the status of an endpoint that makes it non-compliant. When auto-remediation is not an option, the NAC solution can also communicate instructions to the end user on how to resolve non-compliance issues via SMS, email, or a service desk call.
Tying these features together with the AAA capabilities of a policy solution allows for much more granular and robust policies that can leverage the detailed user and device context that’s available today. Device fingerprinting, the status of a certificate or credentials and user location data can now be collected and used to determine if a device should be connected to a network.
Clearpass Onguard Update
This simplifies IT involvement and improves the end user experience as self-management of their devices makes it easier to comply with changing policy requirements.
Differences Between NAC Solutions
Not all NAC solutions are equal. Most importantly, when approaching access control with a security mindset, when device health checks occur is often the most overlooked gap.
From a security standpoint, the strength of your defenses is inversely proportional to end user and/or IT convenience. Sometimes a “good enough” approach is fine – for example, some websites do not require lengthy or complicated passwords, but more important accounts, such as brokerage accounts, may require strong passwords and two-factor authentication. However, in the case of endpoint compliance and health checks in the mobile world, slightly more involved challenges are needed considering the implications of a large breach, data loss, or infected network.
The convenience first, security second school of thought for some vendors is to let the device onto the network before doing a policy or health check. And instead of using 802.1X, RADIUS and other authentication and enforcement protocols, they attempt to scan devices after they’ve been granted a connection to the network. This way, elements of the device can be scanned faster than if an agent were issued to a device and securely scanned and authenticated first.
Although the time increment may be small before detecting a threat in this model, it can be just enough time to expose your network to malicious code or data loss than if enforcing an assessment and authorization before the device acquires an IP address. In other words, merely allowing a device to acquire an IP address first and then scan packets, still allows for enough time to compromise your network.
Furthermore, the speed with which a device can be scanned before acquiring an IP address is negated by the intrusive performance hit a device will take while the end user is working on an application. The size of an organization is another consideration. Devices farther away from where the NAC solution sits, will have access to resources longer than may be desired.
Trusting the device before enforcing compliance policies is akin to locking your front door when you leave for work in the morning — after leaving the door open overnight. You are leaving yourself vulnerable at the most critical and vulnerable time. The same is true for endpoint control. It makes sense to enforce a policy before allowing untrusted devices onto the network. Just because devices are known does not mean that they should be trusted.
Implications of the Pre-Enforcement Access Model
Stories about breaches and corporate data loss are increasingly all over the news feeds. Some of the largest companies in the world have had to disclose devastating breaches because someone brought a device onto the network that was not IT issued and logged into the network without a health check. Once malicious code is injected into the network in the fraction of a second that the user logs in, there is virtually no way to stop the propagation of the infection throughout the network – the damage has already been done. And now with laws requiring public disclosure and notification of breaches, the costs are staggering – not to mention the potentially personal legal implications for C-level executives.
Pre-Health Check vs. Post-Health Check
Although accessing the network after checking for device health policy is critical from a security standpoint, both pre and post assessment and enforcement is ideal for strong security. Say you have a pre-enforcement solution and policy in place and a remote employee wants to use their personal laptop on the network. They are required to download an agent which then scans for a policy. If the device is clean, they are allowed onto the network. If there is an anti-virus program that is outdated, it can be auto-remediated.
But, what if a user does something after they are on the network? Say they click on a malicious link that circumvents their current anti-virus application by turning off their firewall. A persistent agent will continue to check the device and will either auto-remediate or block the user from the network if a firewall is a component of the IT policy. If there was no persistent agent, there would be no way to auto-remediate or flag and block any changes to the device post device health check.
Aruba ClearPass - A Security Centric Endpoint Compliance Solution
Aruba ClearPass OnGuard, a component of the Aruba ClearPass Policy Management Platform can be used to perform device assessments on any computer or laptop connecting to the network. The Policy Manager is also capable of pulling attributes from an EMM system to ensure that only compliant smartphones and tablets are connected to Wi-Fi and wired networks.
With the use of a persistent agent, IT can check for anti-virus, spyware, firewalls, hot fixes and more in real time before granting authorization privileges onto the network. If there is a service or requirement that can’t be auto-remediated, for example, if disk encryption must be enabled, the user can be notified that they can’t access the network and must restore their encryption before they will be connected to the network.
Not only will ClearPass ensure non-IT issued laptops and computers are compliant before they are allowed network access, but they can do so in an “IT lite” fashion on both the wired and wireless network before an IP address is issued.
A lightweight dissolvable web based agent is also available for users segmented on a less critical segment of the network, for instance, a guest network. Personal devices do not allow agents to be permanently installed in most cases and would connect through a captive portal that uses a native dissolvable agent. The dissolvable agent is completely removed from the device once the browser is closed.
Ordering Guidance:
ClearPass OnGuard can be ordered via dedicated OnGuardonly subscription that includes ArubaCare support or perpetual licenses. Available enterprise options enable organizations to flexibly use the licenses for ClearPass OnGuard, Onboard or Guest.
Ordering ClearPass OnGuard involves the following three steps:
- Determine the number of unique computer endpoints that will have posture/health checks performed prior to network access within your environment.
- Choose the appropriate ClearPass Policy Manager hardware or virtual appliance to accommodate the total number from above. The Enterprise Starter Bundle that contains 25 licenses can be used.
- Select the remaining capacity needed to accommodate the total number of endpoints using the OnGuard part numbers. Anything over the capacity of a base appliance will require the purchase of a second ClearPass Policy Manager appliance.
Example: To support the provisioning of 2,000 devices, make sure that ClearPass Policy Manager is sized to accommodate 2,000 endpoint devices.
Purchase the following:
- ClearPass Appliance – CP-HW-5K or CP-VA-5K
- ClearPass OnGuard – 2 X LIC-CP-OG-1K or for subscription, SUBX-CP-OG-1K
Additional ClearPass OnGuard capacity can be purchased at any time to meet growth demands. ClearPass OnGuard is licensed on a per client basis.
Documentation:
Aruba ClearPass OnGuard Datasheet (.PDF)
Pricing Notes:
- Pricing and product availability subject to change without notice.
OnGuard Endpoint Health License for Aruba ClearPass Policy Manager
OnGuard License for Aruba ClearPass Policy Manager - 100 devices
OnGuard License for Aruba ClearPass Policy Manager - 500 devices
OnGuard License for Aruba ClearPass Policy Manager - 1,000 endpoints
OnGuard License for Aruba ClearPass Policy Manager - 2,500 endpoints
OnGuard License for Aruba ClearPass Policy Manager - 5,000 endpoints
OnGuard License for Aruba ClearPass Policy Manager - 10,000 endpoints
For more than 10,000 endpoints, please use our Quote Request Form!
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 100
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 500
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 1000
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 2500
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 5K
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 10K
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 25K EP
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 50K
Aruba 1 Year Foundation Care 24x7 ClearPass OnGuard 100K
For HPE Aruba Services for 3, 4 or 5 years, please contact us!
OnGuard License for Aruba ClearPass Policy Manager, 1 year
OnGuard 1 Year Subscription License for Aruba ClearPass Policy Manager - 100 endpoints
OnGuard 1 Year Subscription License for Aruba ClearPass Policy Manager - 500 endpoints
OnGuard 1 Year Subscription License for Aruba ClearPass Policy Manager - 1,000 endpoints
OnGuard 1 Year Subscription License for Aruba ClearPass Policy Manager - 2,500 endpoints
OnGuard 1 Year Subscription License for Aruba ClearPass Policy Manager - 5,000 endpoints
OnGuard 1 Year Subscription License for Aruba ClearPass Policy Manager - 10,000 endpoints
Clearpass Onguard Install
For more than 10,000 endpoints, please use our Quote Request Form!
OnGuard License for Aruba ClearPass Policy Manager, 3 year
OnGuard 3 Year Subscription License for Aruba ClearPass Policy Manager - 100 endpoints
OnGuard 3 Year Subscription License for Aruba ClearPass Policy Manager - 500 endpoints
OnGuard 3 Year Subscription License for Aruba ClearPass Policy Manager - 1,000 endpoints
OnGuard 3 Year Subscription License for Aruba ClearPass Policy Manager - 2,500 endpoints
OnGuard 3 Year Subscription License for Aruba ClearPass Policy Manager - 5,000 endpoints
OnGuard 3 Year Subscription License for Aruba ClearPass Policy Manager - 10,000 endpoints
For more than 10,000 endpoints, please use our Quote Request Form!
OnGuard License for Aruba ClearPass Policy Manager, 5 year
OnGuard 5 Year Subscription License for Aruba ClearPass Policy Manager - 100 endpoints
OnGuard 5 Year Subscription License for Aruba ClearPass Policy Manager - 500 endpoints
OnGuard 5 Year Subscription License for Aruba ClearPass Policy Manager - 1,000 endpoints
OnGuard 5 Year Subscription License for Aruba ClearPass Policy Manager - 2,500 endpoints
OnGuard 5 Year Subscription License for Aruba ClearPass Policy Manager - 5,000 endpoints
OnGuard 5 Year Subscription License for Aruba ClearPass Policy Manager - 10,000 endpoints