AAA, NAC, Guest Access & BYOD

Work with profiling conflicts and setup policies to avoid conflict devices

Aruba Employee

We might see scenarios in ClearPass versions earlier than 6.4 where an endpoint that has already been profiled under a certain category shows up under a different category due to its initial fingerprint being overridden by a different fingerprint.
There could be several cases that could cause this two of them below
Case 1 
It could be a HTTP fingerprint overriding a DHCP Fingerprint caused by some user modifying his HTTP user agent in the browser and accessing ClearPass captive portal
Case 2
An endpoint that initially has a DHCP fingerprint of a Printer now starts showing up as a Computer with some user trying to connect with a Printer's MAC from a Computer and succeeding in getting an IP address causing the initial DHCP fingerprint to be overridden and the category to change.

The solution for this is the Conflict attribute that has been added in ClearPass.

 

Environment : This article applies to all ClearPass versions above 6.4

 

The Conflict attribute gets set to True whenever there is a profiling conflict like the ones we discussed in the Introduction

 

rtaImage.png

 

In scenarios like Case 1 we can setup a rule like shown below

 

rtaImage (1).png

 

In the rule above the Category denotes the present category and the Other Category denotes the previous category.

In scenarios like Case 2 the rules should look like below

 

rtaImage (2).png

 

So when we come across similar cases like ones above or other cases dealing with profiling conflicts we can setup customized rules to separate those devices deny them access and probably take them to a splash page and ask them to contact the Administrator.

The Administrator can choose any of the 3 options available to deal with the conflict

 

rtaImage (3).png

 

The "Ignore this fingerprint" option updates the present category as the Category of the endpoint. The "Use this fingerprint" option updates the previous category as the Category of the endpoint.
"Resolve later" leaves the endpoint in the current state with the overridden category and lets the administrator choose later.

 

Using the Conflict attribute and also other Attributes like Other Category etc we can deal with profiling conflicts like shown above. As an addition to these capabilities from 6.5 onwards we are also initiating automated COA as soon as we detect a conflict.

 

Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 10:41 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: