Agent Enforcement Profile

To configure profile and attribute parameters for an Agent Enforcement profile:

1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens.

2. Click Add. The Add Enforcement Profiles > Profile tab opens.

3. From the Template drop-down, select Agent Enforcement. The Agent Enforcement > Profile dialog opens.

Figure 1  Agent Enforcement > Profile Tab

4. Specify the Add Agent Enforcement > Profile parameters as described in the following table:

Table 1: Add Agent Enforcement > Profile Parameters

Parameter

Action/Description

Template

Select Agent Enforcement from the drop-down list.

Name

Enter the name of the enforcement profile.

Description

Optionally, enter a description of the enforcement profile (recommended).

Type

This field is populated automatically with type Agent.

Action

By default, this field is disabled. It is enabled only when RADIUS type is specified.

Device Group List

Select a device group from the drop-down list. The list displays all configured device groups.

All configured device groups are listed in the Configuration > Network > Device Groups page. After you add one or more device groups, you can select a group and take one of the following actions:

To delete the selected Device Group List entry, click Remove.

To see the device group parameters, click View Details.

To change the parameters of the selected device group, click Modify.

Add New Device Group

To add a new device group, click the Add New Device Group link. For more information, see Adding and Modifying Device Groups.

5. Click Next.

The Attributes tab opens.

Configuring Agent Enforcement Attributes

Use the Attributes tab to configure the attribute name and attribute value for each attribute you add.

Figure 2  Agent Enforcement > Attributes Dialog

6. Specify the Agent Enforcement > Attributes parameters as described in the following table:

Table 2: Agent Enforcement > Attributes Tab Parameters

Attribute Name

Action/Description

Bounce Client

To bounce the network interface and terminate the network connection, set the value to True.

Message

Enter the message that needs to be displayed on the endpoint.

Session Timeout (in seconds)

Configure the agent session timeout interval to periodically evaluate the endpoint's health.

OnGuard Agent performs health checks after the specified session timeout interval and updates the health status of the endpoint in Policy Cache.

You can specify the session timeout interval from 60 to 600 seconds. The default value is 0.

NOTE: Setting the lower value for the session timeout interval results in numerous authentication requests in the Access Tracker page.

Health Check interval (in hours)

Specify the health-check interval value in hours for different Agent Enforcement Profiles for different users. The allowed range is 0 to 1000 hours.

NOTE: The value of the Policy result cache timeout parameter (found in Server Configuration > Cluster-wide Parameters) must be greater than the highest value of all the Health Check Interval (in hours) values.

Note the following information:

You can set the Health Check Interval if OnGuard mode is set to Health only.

This parameter is valid only for wired and wireless interface types.

This parameter is not applicable for the OnGuard Dissolvable Agent, VPN, and Other interface types.

Enable to hide Retry button

To hide the Retry button in the OnGuard Agent, click the check box to set the value to True.

Enable to hide Logout button

To hide the Logout button in the OnGuard Agent, click the check box to set the value to True.

Enable to hide Quit option

To hide all Quit options in OnGuard Agent, click the check box to set the value to True.

Bounce Delay (in seconds)

When Bounce Delay is configured, the network interface is bounced after the specified delay.

Show Custom UI User Interface. for Custom Scripts

Click the check box to set this attribute to True and enable the OnGuard Agent Remediation User Interface for Custom Scripts (for related information, refer to the Custom User Interface parameter in Creating OnGuard Custom Web Pages).

SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. Type

Allows you to specify the V4 OnGuard Detection SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. (for related information, see Upgrading From OnGuard Plugin Version 1.0 to 2.0).

Enable to auto update OnGuard Agent Library

When this option is enabled and a new version of OnGuard Agent Library is available on the Policy Manager server, Policy Manager OnGuard Agent automatically downloads and installs the new version of OnGuard Agent Library from the Policy Manager server. OnGuard modules, including detection libraries for client programs (V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.), can be upgraded without having to upgrade your Policy Manager or OnGuard installations (for more information, see OnGuard Agent Library Updates).

Show Posture results in Guest page

To have OnGuard show the user posture results in a web page when the client is Unhealthy, click the check box to set this attribute to True.

Enable Evil Twin Detection

To enable OnGuard Agent to check for the presence of an "evil twin" with a wired interface, click the check box to set this attribute to True.

When OnGuard Agent detects an evil twin on a wired interface, it sends a WebAuth request with the Host:EvilTwin attribute having the value "MayExist,” indicating that an evil twin may exist.

The Host:EvilTwin attribute is available in Service rules, Role Mapping, and Enforcement profiles. For more information, see Evil Twin Detection with OnGuard.

Enable to bounce client if Evil Twin is detected

 

This attribute allows administrators to bounce the client interface if an evil twin (rogue AP) is detected, enabling the client to re-authenticate and establish a connection to the server to report the evil twin.

To use this feature, add both the Enable Evil Twin Detection and the Enable to bounce client if Evil Twin is detected attributes, and set the value to true for each of them. OnGuard will only bounce the interface if both attributes are enabled with their values set to true.

7. Click Save.

Summary Information

The Summary tab summarizes the parameters configured in the Profile and Attribute tabs.

Figure 3  Agent Enforcement > Summary Tab