Manualshelf

White Papers

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
21222324252627282930
Dell Networking W-
Series ClearPass Configuration Guide
21
OnGuard posture enforcement with Dell Networking 7024P
Switch
OnGuard is a SW module within ClearPass used to determine the health of a device. Network
administrators may want to enforce devices being connected to the network to have certain health
related conditions met before access is granted. Typical conditions include the presence of an anti-
virus SW with updated virus definitions. Other conditions could involve a check on the state of the
firewall. For the purposes of this document, the posture of the device is directly referencing its
health.
The persistent client for OnGuard has the ability to detect changes in the posture of a device and
change its access status in the network. Although the Dell Networking switch does not support RADIUS
CoA, it can still use OnGuard to check heath at the initial authentication request when connecting to
the network. Additionally, the persistent OnGuard client can monitor a PC and revoke access to the
network after any failed periodic health check.
Dell Networking W-Series products support RADIUS CoA in addition to Radius VSA (Vendor Specific
Attributes), which can be used in conjunction with ClearPass for all available features when connected
wirelessly.
This example will perform a basic health check to see if the PC has its firewall enabled or turned off.
If the firewall is not enabled on the PC, it will remove access to the network. To read more on heath
related conditions that OnGuard can interrogate on devices, see the latest Dell Networking W-
ClearPass Policy Manager User Guide.
Dell Networking 7024P Configuration
OnGuard uses HTTPS to send posture information to the ClearPass appliance. For OnGuard to use
HTTPS, it must have access to the network. If a customer requires 802.1x authentication on the wired
switch, a separate 802.1x authentication must be used prior to the OnGuard posture check. In this
example, an 802.1x PEAP-EAP-MSCHAPv2 authentication is completed first. A separate WebAuth
service must be setup with posture checks to use the OnGuard agent. To ensure a non-compliant device
is not admitted back to the network, it’s recommended that 802.1x be enabled on the access port to
the Dell Networking 7024P switch. If the port is left in Authorized mode, and the heath issue is not
corrected, the device will be bounced from the network during each periodic heath check.
This example builds upon the previous MAC Authentication example. The configuration of the RADIUS
server and their shared secrets are not repeated in this section. The steps to setup the RADIUS server
on both the switch and ClearPass are the same. Please reference the steps in the previous example to
enable the switch to be an authenticator by adding an external RADIUS server (ClearPass).