Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Agent Enforcement Profile
To configure profile and attribute parameters for an Agent Enforcement profile:
1. Navigate to > > . The page opens.
2. Click . The > tab opens.
3. From the drop-down, select . The dialog opens.
Figure 1 Agent Enforcement > Profile Tab
4. Specify the > parameters as described in the following table:
Parameter |
Action/Description |
Template |
Select from the drop-down list. |
Name |
Enter the name of the enforcement profile. |
Description |
Optionally, enter a description of the enforcement profile (recommended). |
Type |
This field is populated automatically with type . |
Action |
By default, this field is disabled. It is enabled only when type is specified. |
Device Group List |
Select a device group from the drop-down list. The list displays all configured device groups. All configured device groups are listed in the Configuration > Network > Device Groups page. After you add one or more device groups, you can select a group and take one of the following actions: To delete the selected Device Group List entry, click Remove. To see the device group parameters, click View Details. To change the parameters of the selected device group, click Modify. |
Add New Device Group |
To add a new device group, click the Adding and Modifying Device Groups. link. For more information, see |
5. Click .
The
tab opens.Configuring Agent Enforcement Attributes
Use the
tab to configure the attribute name and attribute value for each attribute you add.Figure 2 Agent Enforcement > Attributes Dialog
6. Specify the > parameters as described in the following table:
Attribute Name |
Action/Description |
Bounce Client |
To bounce the network interface and terminate the network connection, set the value to . |
Message |
Enter the message that needs to be displayed on the endpoint. |
|
Configure the agent session timeout interval to periodically evaluate the endpoint's health. OnGuard Agent performs health checks after the specified session timeout interval and updates the health status of the endpoint in Policy Cache. You can specify the session timeout interval from to seconds. The default value is .Setting the lower value for the session timeout interval results in numerous authentication requests in the page. |
Health Check interval (in hours) |
Specify the health-check interval value in hours for different Agent Enforcement Profiles for different users. The allowed range is to hours.The value of the parameter (found in Server Configuration > Cluster-wide Parameters) must be greater than the highest value of all the values. Note the following information: You can set the . if OnGuard mode is set toThis parameter is valid only for wired and wireless interface types. This parameter is not applicable for the OnGuard Dissolvable Agent, VPN, and Other interface types. |
|
To hide the button in the OnGuard Agent, click the check box to set the value to . |
Enable to hide Logout button |
To hide the button in the OnGuard Agent, click the check box to set the value to . |
Enable to hide Quit option |
To hide all Quit options in OnGuard Agent, click the check box to set the value to . |
Bounce Delay (in seconds) |
When is configured, the network interface is bounced after the specified delay. |
Show Custom UI User Interface. for Custom Scripts |
Click the check box to set this attribute to Creating OnGuard Custom Web Pages). and enable the OnGuard Agent Remediation User Interface for Custom Scripts (for related information, refer to the parameter in |
Allows you to specify the V4 OnGuard Detection SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform. (for related information, see Upgrading From OnGuard Plugin Version 1.0 to 2.0). |
|
Enable to auto update OnGuard Agent Library |
When this option is enabled and a new version of OnGuard Agent Library is available on the Policy Manager server, Policy Manager OnGuard Agent automatically downloads and installs the new version of OnGuard Agent Library from the Policy Manager server. OnGuard modules, including detection libraries for client programs (V4 SDK Software Developer Toolkit; Software tools and programs used to develop software for a particular platform.), can be upgraded without having to upgrade your Policy Manager or OnGuard installations (for more information, see OnGuard Agent Library Updates). |
Show Posture results in Guest page |
To have OnGuard show the user posture results in a web page when the client is Unhealthy, click the check box to set this attribute to . |
To enable OnGuard Agent to check for the presence of an "evil twin" with a wired interface, click the check box to set this attribute to .When OnGuard Agent detects an evil twin on a wired interface, it sends a WebAuth request with the Host:EvilTwin attribute having the value "MayExist,” indicating that an evil twin may exist. The Host:EvilTwin attribute is available in Service rules, Role Mapping, and Enforcement profiles. For more information, see Evil Twin Detection with OnGuard. |
|
Enable to bounce client if Evil Twin is detected
|
This attribute allows administrators to bounce the client interface if an evil twin (rogue AP) is detected, enabling the client to re-authenticate and establish a connection to the server to report the evil twin. To use this feature, add both the Enable Evil Twin Detection and the Enable to bounce client if Evil Twin is detected attributes, and set the value to true for each of them. OnGuard will only bounce the interface if both attributes are enabled with their values set to true. |
7. Click .
Summary Information
The
tab summarizes the parameters configured in the and tabs.Figure 3 Agent Enforcement > Summary Tab