The dangers of endpoints connecting to the network before scanning for device health

Endpoint compliance assessments are critical for today’s mobile workforce environment. Employees, contractors, and guests treat IT-issued laptops as if they own them. Meanwhile, bring your own device (BYOD) has become popular due to convenience, cost savings and IT offload. Unfortunately, user behavior and connecting these devices to enterprise networks is a growing concern that adds potential threats.

Today, endpoint compliance means much more than just checking for traditional anti-virus and firewall status. IT can now require and control the use of many more variables that have been implicated in breaches. This can include controlling USB ports, P2P file share blocking, spyware updates, patch/hotfix management, and more. Additionally, today’s NAC solutions can be configured so that features run in the background. Real-time assessments can trigger auto-remediation to change the status of an endpoint that makes it non-compliant. When auto-remediation is not an option, the NAC solution can also communicate instructions to the end user on how to resolve non-compliance issues via SMS, email, or a service desk call.

Stories about breaches and corporate data loss are increasingly all over the news feeds. Some of the largest companies in the world have had to disclose devastating breaches because someone brought a device onto the network that was not IT issued and logged into the network without a health check. Once malicious code is injected into the network in the fraction of a second that the user logs in, there is virtually no way to stop the propagation of the infection throughout the network – the damage has already been done. And now with laws requiring public disclosure and notification of breaches, the costs are staggering – not to mention the potentially personal legal implications for C-level executives.

Airowire Networks can provide a customized solution using ClearPass Onguard

Although accessing the network after checking for device health policy is critical from a security standpoint, both pre and post assessment and enforcement is ideal for strong security. Say you have a pre-enforcement solution and policy in place and a remote employee wants to use their personal laptop on the network. They are required to download an agent which then scans for a policy. If the device is clean, they are allowed onto the network. If there is an anti-virus program that is outdated, it can be auto-remediated.

The difference between the two is that the persistent agent provides nonstop monitoring and automatic remediation and control. When running persistent OnGuard agents, ClearPass Policy Manager can centrally send system-wide notifications and alerts, and allow or deny network access. The persistent agent also supports auto and manual remediation.

Alternatively, the web-based dissolvable agent is ideal for personal, non IT-issued devices that connect via a captive portal and do not allow agents to be permanently installed. A one-time check at login ensures policy compliance. Devices not meeting compliance can be redirected to a captive portal for manual remediation. Once the browser page used during authentication is closed, the dissolvable agent is removed leaving no trace.

To simplify troubleshooting, endpoint control and compliance reporting, ClearPass Policy Manager offers the ability to centrally managed health-check settings and policies. Views of ClearPass OnGuard activity, including user and device data show information about each device that connects using OnGuard agents.

If unhealthy endpoints do not meet compliance requirements, the user receives a message about the endpoint status and instructions on how to achieve compliance if auto-remediation is not used. Messages can include reasons for remediation, links to helpful URLs and helpdesk contact information. ClearPass persistent agents provide the same message and remediation capabilities for 802.1X and combined environments.


  • Enhanced capabilities for endpoint compliance and control.
  • Supports Microsoft, Apple, and Linux operating systems.

  • Anti-virus, anti-spyware, firewall checks and more.

  • Optional auto-remediation and quarantine capabilities.

  • System-wide endpoint messaging, notifications and session control.
  • Centrally view the online status of all devices from the ClearPass Policy Manager platform.