This section provides the following information:
| | Introduction |
| | About the OnGuard Custom Interface and the Remediation Process |
| | Configuring OnGuard Settings |
| | Creating OnGuard Custom Web Pages |
| | Installing Standalone VIA 3.2.x with OnGuard Agent |
Use the OnGuard Settings page to configure the agent deployment packages.
When you save the OnGuard configuration, ClearPass creates agent deployment packages for the Windows and Macintosh OS X operating systems and provides the packages at a fixed URL on the ClearPass Policy Manager hardware or virtual appliance.
You can then publish this URL to the user community or download the agent deployment packages to another location.
To view the OnGuard Support Charts, see Accessing the OnGuard Support Charts.
OnGuard provides the ability to show end users a custom interface, or wizard, that guides them through the remediation process if their device is quarantined.
When this feature is enabled and OnGuard needs to run a custom remediation script, the wizard tells the user why the device was denied network access, describes the tasks that are required to fix the problem, and lets the user choose whether to execute the remedial script or not. While the script is being executed and new health checks are run, progress messages are displayed.
The pages of the wizard are created using ClearPass Guest’s Web Pages configuration forms, and can be customized with logo, text, and images (for details, refer to the parameter in Table 1 and Creating OnGuard Custom Web Pages).
To enable configuration of the custom user interface and use the options in the area, see the next section, Configuring OnGuard Settings.
To create and design the custom web pages the end user sees, use the options provided in the area, see Creating OnGuard Custom Web Pages.
To configure the attribute:
| 1. | Navigate to > > , then select the profile. |
| 2. | Specify the , , , and attributes, as well as other script-related attributes (for details, see Configuring Agent Script Enforcement Attributes). |
To configure the OnGuard settings:
| 1. | Navigate to > > . |
The page opens:
Figure 1: OnGuard Settings Page
| 2. | Configure the parameters as described in Table 1, then click . |
Parameter | Action/Description | |||||||||||||||
Global Agent Settings | Configure the global agent settings parameters for OnGuard agents. For more information, see OnGuard Global Agent Settings. | |||||||||||||||
Policy Manager Zones | Configure the network (subnet) for a Policy Manager Zone. For more information on configuring Policy Manager zones, see Managing Policy Manager Zones. | |||||||||||||||
Agent Version | Indicates the current version of the OnGuard agent. | |||||||||||||||
Agent Installers | ||||||||||||||||
Installer Mode | Specify the action to be taken from the following options when the Aruba VIA component is used to provide VPN-based access:
Selecting this option will automatically remove any existing and installed Aruba VIA client software.
Selecting this option will automatically upgrade any existing and installed Aruba VIA client software. NOTE: For related information, see Installing Standalone VIA 3.2.x with OnGuard Agent. | |||||||||||||||
Windows | Use the download link to download OnGuard Agent for Windows. This binary file is provided in .exe and .msi formats. | |||||||||||||||
Mac OS X | Use the download link to download OnGuard Agent for Mac OS X. This binary file is in .DMG format. | |||||||||||||||
Ubuntu | Use the download link to download Ubuntu Agent for Linux. This binary file is in .tar.gz format. | |||||||||||||||
Native Dissolvable Agent Apps | ||||||||||||||||
Windows | Click the URL to download Native Dissolvable Agent for Windows. | |||||||||||||||
Mac OS X | Click the URL to download Native Dissolvable Agent for Mac OS X. | |||||||||||||||
Ubuntu | Click the URL to download Native Dissolvable Agent for Ubuntu. You can download the .tar.gz files specific to 32-bit and 64-bit systems. | |||||||||||||||
Agent Customization | ||||||||||||||||
Managed Interfaces | Select the type(s) of interfaces that OnGuard will manage on the endpoint. Select from the following options:
| |||||||||||||||
Mode
| Select one of the following options:
This setting is not valid for the mode. | |||||||||||||||
Username Text | The label for the field on the OnGuard agent. This setting is not valid for the mode. | |||||||||||||||
Password Text | The label for the field on the OnGuard agent. This setting is not valid for the mode. | |||||||||||||||
Agent action when an update is available | Determines what the agent does when an update is available. Select one of the following options:
| |||||||||||||||
Custom User Interface | When you select the check box, the dialog opens (see Figure 3):
| |||||||||||||||
Managed Interfaces | The Native Dissolvable Agent performs health checks for one of the selected interfaces. This feature ensures that, if both wired and wireless interfaces are connected, the OnGuard Agent will send health requests through the correct interface. Select the type(s) of managed interfaces that are supported for the Native Dissolvable Agent. Select from the following options:
| |||||||||||||||
| | HTML Content for OnGuard Custom Web Pages |
| | Important Points |
| | OnGuard Custom Script Exit Codes |
To create :
| 1. | Navigate to > > . |
The page opens.
| 2. | Scroll down to the section. |
| 3. | To enable the configuration dialog, click (enable) the check box. |
Figure 2: Agent Remediation User Interface Customization Dialog
| 4. | Click the link for the OnGuard custom web page you want to create. |
For details, see HTML Content for OnGuard Custom Web Pages.
The > configuration dialog opens.
Figure 3: Configuring a New OnGuard Custom Web Page
| 5. | Specify the required parameters (, , and , as well as if desired), then click . |
The is created.
| 6. | : |
| | : The custom user interface window will always be on top of any other windows present. |
| | : When set to True, the custom user interface window can be minimized. |
| | : Prevents users from closing the custom user interface window. If set to True, users will be allowed to close the custom custom user interface window; however, the execution of custom scripts will continue in the background. |
| Even if the option is enabled, OnGuard Agent disables the button of the custom custom user interface while it is loading a page. |
| 7. | : Specify the window height and width, as well as whether the window size should be a percentage of the the client's screen or defined by the size in pixels. |
| | OnGuard Start Page |
| | OnGuard Progress Page |
| | OnGuard Finish Success Page |
| | OnGuard Finish Error Page |
| | OnGuard Finish Reboot Page |
This section provides the required names for each OnGuard custom web page as well as the recommended HTML content.
Be sure to use the specified here as ClearPass Policy Manager and OnGuard Agent look for pages with these names. Text in italics should not be changed.
The OnGuard Start Page is the initial web page shown to the end user when script execution begins. This page might include a button.
: onguard_start
:
<p>Your device does not meet Minimum Specifications, which is required before you can connect to the Network.</p>
<p>The following is required:</p>
<div id="tasks_list">
</div>
<p>Please click the button below to start the remediation needed.</p>
<p>You will be connected to the Network after verification that your device meets all Minimum Security Specifications.</p>
<p><button id="next_button" type="button" onclick=""/>Next</button></p>
| If the button is missing on the OnGuard Start Page, OnGuard Agent will move to the OnGuard Progress Page after 30 seconds. This time duration is not configurable. |
The OnGuard Progress Page shows the progress and status of custom scripts that are being executed.
onguard_progress
<p>Please do not disconnect your device.</p>
<div id="task_progress_list">
</div>
The OnGuard Finish Success Page is shown after all the scripts have executed successfully and a system reboot is not necessary. This page includes a button.
onguard_finish_success
<p>We will now rescan your system to verify that it meets Minimum Security Specifications and then connect you to the Network.</p>
<p>If you are not connected in five minutes, please contact <b>12334</b> or <a href="https://www.google.com">click here</a> .</p>
<p><button id="close_button" type="button" onclick=""/>Close</button></p>
The OnGuard Finish Error Page is shown if at least one of the scripts returns Failure and a reboot is not required. This page includes a button.
onguard_finish_error
<p>Remediating your device to meet Minimum Security Specifications was unsuccessful because:</p>
<div id="failed_tasks">
</div>
<p>Please visit this <a href="https://www.google.com">Support Page</a> to get assistance.</p>
<p><b>You are not yet connected to the Network.</b></p>
<p><button id="close_button" type="button" onclick=""/>Close</button></p>
onguard_finish_reboot
The OnGuard Reboot Page is shown after all the scripts have executed successfully and a system reboot is necessary. This page includes a button.
<p>We will now rescan your system to verify that it meets Minimum Security Specifications and <b>reboot your system</b>, then connect you to the Intel Network.</p>
<p>If you are not connected in five minutes, please contact <b>12334</b> or visit this <a href="https://www.google.com">Support Page</a> to get assistance.</p>
<p><button id="reboot_button" type="button" onclick=""/>Reboot</button></p>
This section provides important notes regarding OnGuard Agent behavior when using the Custom User Interface for Custom Scripts.
| In ClearPass Policy Manager 6.6.7, this feature is supported for Windows Persistent Agent only. |
| 1. | OnGuard Agent checks the custom script's exit code to compute the custom scripts status. |
| 2. | OnGuard Agent determines the final page based on the script's exit codes and the client's health status. For details, see the next section, OnGuard Custom Script Exit Codes. |
| 3. | This feature is not supported when OnGuard is running as a service. |
| 4. | The custom user interface loads a fresh web page from ClearPass Guest every time. It does not cache the pages. |
| 5. | If the user closes the custom user interface while the script is executing, OnGuard Agent continues executing scripts without the custom user interface. |
| 6. | Administrators will have to refresh or open the page again after creating web pages in ClearPass Guest (> > ). |
| 7. | If the ClearPass Server Certificate is not validated when ClearPass loads the web page for the first time, the custom user interface displays the following security alert: |
Figure 4: Server Certificate Not Validated Security Alert
| 8. | A new option, , has been added in that you can configure to avoid receiving a Server Certificate security alert (see the parameter description in Global Agent Settings Parameters for OnGuard Agents). |
The OnGuard custom script exit codes are comprised of and as described below:
The range available to Administrators to define their own Success Codes = 3 (0x03) to 63 (0x3F).
| | Script executed successfully = 0 (0x00) |
| | Reboot (Reboot is required) = 2 (0x02) |
The range available to Administrators to define their own Failure Codes = 65 (0x41) to 255 (0xFF).
| | Script executed successfully but its exit code indicates failure = 64 (0x40) |
| | Unknown error = 256 (0x100) |
| | Timeout: Script did not finish execution in expected time = 257 (0x101) |
| | Failed to read exit code of script = 258 (0x102) |
| | OnGuard failed to execute script = 259 (0x103 |
| | Script file not found = 260 (0x104) |
| | Script file did not pass validation checks = 261 (0x105) |
| | Failed to download script file = 262 (0x106) |
| | Execution level is set to “User” but the user is not logged on, so OnGuard was not able to launch the script = 263 (0x107) |
ClearPass supports standalone installation of both VIA 3.2.x and the OnGuard Agent. This allows administrators to use VIA 3.2.x functionality that is not yet available in the Unified Agent in conjunction with the OnGuard Agent. This feature is supported by OnGuard 6.6.10 and higher and by VIA 3.2.2 and higher. This feature is available only on Windows OS.
To use this feature, OnGuard must be installed by passing the AllowBothVIAAndOnGuard flag to the installer in the following format:
ClearPassOnGuardInstall.exe /AllowBothVIAAndOnGuard=1
msiexec /i ClearPassOnGuardInstall.msi ALLOWBOTHVIAANDONGUARD=1
Both OnGuard and VIA must be installed with this flag in order for them to co-exist on the same system. If either of them is installed without this flag, the other cannot be installed.
In addition, VIA must be installed with the ALLOWBOTHVIAANDONGUARDflag in the following format:
msiexec /i Aruba-VIA-3.2.0.0.XXXXX-64(86).msi ALLOWBOTHVIAANDONGUARD=1
| If the ClearPass OnGuard Unified Agent is installed with AllowBothVIAAndOnGuard=1, the Unified Agent will not enable the VPN component, even if it is enabled in the ClearPass user interface, i.e., the ClearPass OnGuard Unified agent will run in OnGuard-only mode even if the > > > option is set to . |