Installing Aruba ClearPass OnGuard on Linux


Table of Contents

For general information on OnGuard, please see the "Using Aruba Clearpass OnGuard" section in KB0020044, "Network Deployments for UMD-Managed Devices".

Download the Installer

The Aruba ClearPass OnGuard is available on Terpware.

Access is restricted to netadmins only. Review the NetAdmin Accounts FAQ for more information.

Follow the instructions below to log into Terpware with your netadmin account and download the installer.

  1. Open your favorite browser and then open a new private/incognito window.
  2. In the private window, browse to the OnGuard page on Terpware.
  3. Click the blue "Sign in for access" button in the middle of the page.  That should redirect you to CAS.
  4. Sign into CAS using your <DIRECTORY_ID>/netadmin credentials.
  5. Upon successfully signing in, you should be redirected back to the OnGuard page on Terpware.
  6. Click the blue button corresponding to your distribution to download the OnGuard installer.
    1. RHEL - ClearPassOnGuardInstall_RHEL.tar.gz
    2. Ubuntu - ClearPassOnGuardInstall_Ubuntu.tar.gz
  7. Done!

Once you have downloaded the installer, please continue with the instructions below to install OnGuard on your Linux hosts.

Top

Installing ClearPass OnGuard

Once you have acquired the OnGuard installer, you may now install it on any Linux hosts you administer that will be a part of the policy-based network. There are a few caveats:

  1. OnGuard requires a graphical user interface (GUI) both for installation and functionality. Onguard is not active during console-based or non-graphical sessions (e.g. SSH).  In this case, any network policies depending on your user information will not be applied.
  2. OnGuard is only for Linux hosts managed by UMD. It is not recommended nor required for personal Linux devices.
  3. OnGuard stores data in the ~/.clearpass_onguard directory. If your home directory is on a shared filesystem e.g. AFS, logging into OnGuard on multiple hosts utilzing this shared filesystem may lead to unexpected behavior by OnGuard and thus the policy-based network. For example, you may not be granted access to network resources if such access is dependent upon identity information from OnGuard. 
  4. OnGuard does not support the ARM architecture on Linux or Windows.

Red Hat and Ubuntu distributions are covered by the instructions below. If you have another distribution, please read the instructions below and customize accordingly. View the list of distributions on which OnGuard runs. The installers include packages for both x86_64 and i386 architectures. The instructions below assume x86_64 will be used, but i386 packages are available if needed.

The following assumes the work is being done via a terminal. Feel free to substitute GUI actions where appropriate.

  1. Before installing OnGuard, please perform the following prerequisite tasks.
    1. Install the following required Qt graphical packages:
      • Red Hat - qt5-qtbase, qt5-qtbase-common, and qt5-qtbase-gui
      • Ubuntu - libqt5core5a, libqt5widgets5, and libqt5gui5 
    2. Apply any OS updates available using the distributions native package manager (dnf or apt).

  2. Upload the ClearPass OnGuard installer archive, ClearPassOnGuardInstall.tar.gz, to the host. You may upload the installer via scp or sftp if the host has network connectivity, or via a thumb drive otherwise.
    scp ./ClearPassOnGuardInstall.tar.gz linux4ever.umd.edu:~/

  3. Log into the host via the GUI and start a terminal.

  4. Copy the installer to /tmp/clearpass_onguard:
    mkdir /tmp/clearpass_onguard
    cp ~/ClearPassOnGuardInstall.tar.gz /tmp/clearpass_onguard

  5. Change into the /tmp/clearpass_onguard directory and extract the archive:
    cd /tmp/clearpass_onguard
    tar -xvzf ClearPassOnGuardInstall.tar.gz

  6. Run the appropriate installer. 
    ./clearpass-onguard-installer-<VERSION>-<DISTRO>-x86_64
    where <VERSION> is the current OnGuard version and <DISTRO> is either "rhel" or "ubuntu".
    NOTE: By default, the installer will prompt for sudo credentials if it was run by a normal user. If sudo is not functional on the host however, be sure to elevate your privileges beforehand via "su".

  7. A GUI installation wizard will be displayed. Click the "Next" button to continue to the next step and start the installation.
    onguard installer welcome window
  8. If elevated privileges are needed, you will be prompted for sudo credentials at this stage. Enter them and click "OK" to continue the installation. 

  9. A text field is shown and logs from the installation are displayed in real time. Once the installation completes (it should only take a few seconds), you should see "Installation Successful."
    clearpass onguard installer completed
  10. Click the "Finish" button to complete the installation and close the wizard.

  11. If you see an error window, "Failed to create VIA application directory", just click the "OK" button and ignore it. 
    clearpass onguard error window
  12. If you are prompted to log into OnGuard at this point, click the "Cancel" button.
    clearpass onguard login prompt
  13. Log out of the host.

  14. Log back into the host via the GUI.

  15. You should be prompted to log into OnGuard again. This time, go ahead and type in with your Directory ID and passphrase and click "OK".

  16. Open the OnGuard application to check your login status. If you are successfully logged in, you will see a green shield and the words "Authentication Successful".
    clearpass onguard application
  17. After confirming you are successfully logged into OnGuard, you may close the application by clicking the "X" in the upper right-hand corner. It will continue to run in the background.

  18. Open a terminal to clean up our installation files in /tmp.

  19. Change to the /tmp directory.
    cd /tmp

  20. Delete the onguard_clearpass directory and its contents:
    rm -rf onguard_clearpass

  21. Done!

As noted above in the caveats, OnGuard stores data, including your credentials, in the ~/.clearpass_onguard directory. Due to this cache, you should not be prompted again to log into OnGuard unless you change your passphase. If you log into a host for the first time and this cache doesn't exist, you will be prompted to log into OnGuard then as well. 

Top

Uninstalling ClearPass OnGuard

Follow the instructions below to uninstall ClearPass OnGuard.

  1. Uninstall the ClearPass OnGuard package using the distribution's native package manager.
    1. Red Hat - dnf remove clearpass-onguard
    2. Ubuntu - sudo apt-get purge clearpass-onguard

  2. Log out of the host.

  3. Log back into the host.

  4. Remove the ~/.clearpass_onguard directory:
    rm -rf ~/.clearpass_onguard

  5. Done!

Top