Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Creating OnGuard Custom Web Pages
OnGuard provides the ability to show end users a custom interface, or wizard, that guides them through the remediation process if their device is quarantined. When this feature is enabled and OnGuard needs to run a custom remediation script, the wizard tells the user why the device was denied network access, describes the tasks that are required to fix the problem, and lets the user choose whether to execute the remedial script or not. While the script is being executed and new health checks are run, progress messages are displayed.
The pages of the wizard are created using Policy Manager Guest’s Web Pages configuration forms, and can be customized with logo, text, and images (for details, refer to the parameter in Table 1, the OnGuard Settings Parameters table).
Enabling the Show Custom User Interface for Custom Scripts Attribute
To configure the attribute:
1. Navigate to > > , then select or add the profile.
Figure 1 Agent Enforcement > Profile Tab
2. Configure the Agent Enforcement Profile as described in Agent Enforcement Profile.
3. Select the tab.
4. From the drop-down, select .
Figure 2 Enabling the Show Custom UI for Custom Scripts Attribute
5. To set this attribute to , click the check box.
Figure 3 Show Custom UI for Custom Scripts Attribute Enabled
6. If needed, complete the configuration for the Agent Enforcement Profile, then click .
7. Use theto specify the Success Message, Failure Message, Progress Message, and Description parameters, as well as other script-related attributes (for configuration details, refer to Configuring Agent Script Enforcement Attributes).
This step is required because the attributes in the Agent Script Enforcement Profile are used when the Custom UI User Interface. for Custom Scripts is enabled.
Creating OnGuard Custom Web Pages
To create :
1. Navigate to > > .
The page opens.
2. Scroll down to the section.
Figure 4 Agent Remediation User Interface Customization
3. To enable the configuration, click (enable) the check box.
The dialog is expanded to show the list of custom web pages you can configure, as well as options to define window behavior and managed interfaces.
Figure 5 Agent Remediation User Interface Customization Dialog
4. Configure window behavior as described in the following table:
|
Parameter |
Action/Description |
|
Window Behavior |
Enable one or more Window Behavior settings: : The Custom User Interface window will always be on top of any other windows present. : When set to , the Custom User Interface window can be minimized. : Prevents users from closing the Custom User Interface window. If set to , users will be allowed to close the Custom User Interface window; however, the execution of custom scripts will continue in the background. Even if the option is enabled, OnGuard Agent disables the button of the custom custom user interface while it is loading a page. |
|
Window Size |
Specify the window height and width, as well as whether the window size should be a percentage of the the client's screen or defined by the size in pixels. |
|
|
|
|
Managed Interfaces |
The Native Dissolvable Agent performs health checks for one of the selected interfaces. This feature ensures that, if both wired and wireless interfaces are connected, the OnGuard Agent will send health requests through the correct interface. Select the type(s) of managed interfaces that are supported for the Native Dissolvable Agent. Select the type(s) of interfaces that are supported for the Native Dissolvable Agent: Wired Wireless Other |
5. Click the link for the OnGuard custom web page you want to create.
The > configuration dialog opens.
Figure 6 Configuring a New OnGuard Custom Web Page
6. Specify the required Create Web Page parameters as described in the following table:
|
Attribute Name |
Action/Description |
|
Name |
Enter a name for the web page. This name is shown only to administrators. |
|
Page Name |
Enter a page name for this web page. The web page will be accessible from “/guest/page_name.php." |
|
Enabled |
Click (enable) this check box to enable this web page. |
|
Description |
Optionally, enter comments or notes about this web page. This description is shown only to administrators. |
|
Skin |
From the drop-down, select the skin to apply to this web page. |
|
|
Enter the title to be displayed on the web page. |
|
HTML |
Enter the required names for each OnGuard custom web page as well as the recommended HTML content. For details, see HTML Content for OnGuard Custom Web Pages below. |
Advanced Settings and Access Control
To configure the Custom Web Page Advanced Settings and Access Control settings:
1. From the dialog, check (enable) the option.
The Advanced Settings section expands to show the full set of advanced options.
Figure 7 Custom Web Page Advanced Settings
2. Specify the Advanced settings and Access Control settings as described in the following table:
|
Parameter |
Action/Description |
|
|
|
|
Show advanced settings |
To view the Advanced Settings, click the check box. |
|
The Apple Captive Network Assistant (CNA Captive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal.) is the pop-up browser shown when joining a network that has a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Note that this option may not work with all vendors, depending on how the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. is implemented. |
|
|
Translations |
Enable this check box to skip automatic translation handling. Selecting this option keeps all the current text as the default. From Policy Manager Guest, many fields and pages have translations available under > >. |
|
|
|
|
Allowed Access |
Enter the IP addresses and networks from which access is permitted. |
|
Denied Access |
Enter the IP addresses and networks that are denied access. |
|
Deny Behavior |
From the drop-down, select one of the following responses to a request that is not permitted: Show Access Denied page Show a blank page |
3. Click .
The is created.
HTML Content for OnGuard Custom Web Pages
This section provides the required names for each OnGuard custom web page as well as the recommended HTML content. Be sure to use the specified here as ClearPass Policy Manager and OnGuard Agent look for pages with these names. Text in italics should not be changed.
OnGuard Start Page
The OnGuard Start Page is the initial web page shown to the end user when script execution begins. This page might include a button.
: onguard_start
:
<p>Your device does not meet Minimum Specifications, which is required before you can connect to the Network.</p>
<p>The following is required:</p>
<div id="tasks_list">
</div>
<p>Please click the button below to start the remediation needed.</p>
<p>You will be connected to the Network after verification that your device meets all Minimum Security Specifications.</p>
<p><button id="next_button" type="button" onclick=""/>Next</button></p>
|
|
If the button is missing on the OnGuard Start Page, OnGuard Agent will move to the OnGuard Progress Page after 30 seconds. This time duration is not configurable. |
OnGuard Progress Page
The OnGuard Progress Page shows the progress and status of custom scripts that are being executed.
onguard_progress
<p>Please do not disconnect your device.</p>
<div id="task_progress_list">
</div>
OnGuard Finish Success Page
The OnGuard Finish Success Page is shown after all the scripts have executed successfully and a system reboot is not necessary. This page includes a button.
onguard_finish_success
<p>We will now rescan your system to verify that it meets Minimum Security Specifications and then connect you to the Network.</p>
<p>If you are not connected in five minutes, please contact <b>12334</b> or <a href="https://www.google.com">click here</a> .</p>
<p><button id="close_button" type="button" onclick=""/>Close</button></p>
OnGuard Finish Error Page
The OnGuard Finish Error Page is shown if at least one of the scripts returns Failure and a reboot is not required. This page includes a button.
onguard_finish_error
<p>Remediating your device to meet Minimum Security Specifications was unsuccessful because:</p>
<div id="failed_tasks">
</div>
<p>Please visit this <a href="https://www.google.com">Support Page</a> to get assistance.</p>
<p><b>You are not yet connected to the Network.</b></p>
<p><button id="close_button" type="button" onclick=""/>Close</button></p>
OnGuard Finish Reboot Page
onguard_finish_reboot
The OnGuard Reboot Page is shown after all the scripts have executed successfully and a system reboot is necessary. This page includes a button.
<p>We will now rescan your system to verify that it meets Minimum Security Specifications and <b>reboot your system</b>, then connect you to the Intel Network.</p>
<p>If you are not connected in five minutes, please contact <b>12334</b> or visit this <a href="https://www.google.com">Support Page</a> to get assistance.</p>
<p><button id="reboot_button" type="button" onclick=""/>Reboot</button></p>
Important Points
Note the following OnGuard Agent behaviors when using the Custom User Interface for Custom Scripts.
1. OnGuard Agent checks the custom script's exit code to compute the custom script's status.
2. OnGuard Agent determines the final page based on the script's exit codes and the client's health status. For details, see the next section, OnGuard Custom Script Exit Codes.
3. This feature is not supported when OnGuard is running as a service.
4. The Custom User Interface loads a fresh web page from Policy Manager Guest every time. It does not cache the pages.
5. If the user closes the Custom User Interface while the script is executing, OnGuard Agent continues executing scripts without the Custom User Interface.
6. Administrators will have to refresh or open the page again after creating web pages in Policy Manager Guest (> > ).
7. If the Policy Manager Server Certificate is not validated when Policy Manager loads the web page for the first time, the Custom User Interface displays the following security alert:
Figure 8 Server Certificate Not Validated Security Alert
8. A new option, , has been added in that you can configure to avoid receiving a Server Certificate security alert (see the parameter description in Global Agent Settings Parameters for OnGuard Agents).
OnGuard Custom Script Exit Codes
The OnGuard custom script exit codes are comprised of and as described below:
Success Codes (0 to 63)
The range available to Administrators to define their own Success Codes = 3 (0x03) to 63 (0x3F).
Script executed successfully = 0 (0x00)
Reboot (Reboot is required) = 2 (0x02)
Failure Codes (65 to 255)
The range available to Administrators to define their own Failure Codes = 65 (0x41) to 255 (0xFF).
Script executed successfully but its exit code indicates failure = 64 (0x40)
OnGuard Agent Codes (256 onwards):
Unknown error = 256 (0x100)
Timeout: Script did not finish execution in expected time = 257 (0x101)
Failed to read exit code of script = 258 (0x102)
OnGuard failed to execute script = 259 (0x103
Script file not found = 260 (0x104)
Script file did not pass validation checks = 261 (0x105)
Failed to download script file = 262 (0x106)
Execution level is set to “User” but the user is not logged on, so OnGuard was not able to launch the script = 263 (0x107)
