We might see scenarios in ClearPass versions earlier than 6.4 where an endpoint that has already been profiled under a certain category shows up under a different category due to its initial fingerprint being overridden by a different fingerprint.
There could be several cases that could cause this two of them below
It could be a HTTP fingerprint overriding a DHCP Fingerprint caused by some user modifying his HTTP user agent in the browser and accessing ClearPass captive portal
An endpoint that initially has a DHCP fingerprint of a Printer now starts showing up as a Computer with some user trying to connect with a Printer's MAC from a Computer and succeeding in getting an IP address causing the initial DHCP fingerprint to be overridden and the category to change.
The solution for this is the Conflict attribute that has been added in ClearPass.
Environment : This article applies to all ClearPass versions above 6.4
The Conflict attribute gets set to True whenever there is a profiling conflict like the ones we discussed in the Introduction
In scenarios like Case 1 we can setup a rule like shown below
In the rule above the Category denotes the present category and the Other Category denotes the previous category.
In scenarios like Case 2 the rules should look like below
So when we come across similar cases like ones above or other cases dealing with profiling conflicts we can setup customized rules to separate those devices deny them access and probably take them to a splash page and ask them to contact the Administrator.
The Administrator can choose any of the 3 options available to deal with the conflict
The "Ignore this fingerprint" option updates the present category as the Category of the endpoint. The "Use this fingerprint" option updates the previous category as the Category of the endpoint.
"Resolve later" leaves the endpoint in the current state with the overridden category and lets the administrator choose later.
Using the Conflict attribute and also other Attributes like Other Category etc we can deal with profiling conflicts like shown above. As an addition to these capabilities from 6.5 onwards we are also initiating automated COA as soon as we detect a conflict.