Deutschsprachiges Forum

Reply
Highlighted
M7
Occasional Contributor I

Attribute vieler Endpoints gleichzeitig verändern

Hallo,

 

wir sind dabei unsere in dem Endpoint Repository befindlichen Endgeräte genau zu beschreiben und verschiedene Attribute anzupassen.

 

Da bisher alle Geräte via mab authentifiziert werden, ist das benutzdefinierte Attribut "MAC-Status" auf "zugelassen" gesetzt.

Da wir zum Bespiel alle PC mit einem gültigen zertifikat versorgt haben, wollen wir bei diesen Geräten den "MAC-Status" nun auf "blockiert" setzen, damit sie sich via 802.1X EAP-TLS authentisieren.


Wie ist es möglich von ca. 10.000 Geräten diesen benutzerdefinierten Status zu verändern, ohne dabei jedes Gerät einzeln anzusteuern.

 

Habt ihr dafür Hilfsmittel?

Wir würden uns sehr über euere Hilfe freuen.

Re: Attribute vieler Endpoints gleichzeitig verändern

Excuse me for responding in English, I can read the question pretty much, just not respond in German.

 

I would pick one of the following solutions:

1) Use an endpoint-update enforcement profile (ClearPass Entity Update Enforcement) to update the endpoint attributes as soon as a client authenticates with EAP-TLS; I have used this method in a form like: 'If [Machine Authenticated] Update Endpoint: corporate=yes'; and then reject access for that device to the guest network. In another situation, I used this to mark the endpoint such that on wired MAC authentication the machine is placed in the network boot/PXE VLAN such that systems can be reimaged on the spot. You can use this elegant method for your purpose as well. It is just that this method only works after a first Machine/TLS authentication, from then on the system is blacklisted.

2) Second method is that you can Export the Endpoint database to an XML file, based on that construct an XML file with the desired attributes, and import that file. For example, the following XML will put the Endpoint with macAddress to status Known and add/update a tag Device IMEI with the value testing 123:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Thu Aug 17 09:44:13 CEST 2017" version="6.6"/>
  <Endpoints>
    <Endpoint macAddress="f0def19973d8" status="Known">
      <EndpointTags tagName="Device IMEI" tagValue="testing 123"/>
    </Endpoint>
  </Endpoints>
</TipsContents>

3) Third method would be using the API (https://<your-clearpass>/api-docs/). In that API, there is a method in the Endpoints section that can update attributes in the Endpoint DB: "PATCH /endpoint/{endpoint_id} Update some fields of an endpoint".

 

Hope that this helps you to achieve your goals.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
M7
Occasional Contributor I

Re: Attribute vieler Endpoints gleichzeitig verändern

Hello Herman,

 

thanks for the fast answer! Brilliant that you understand my question although i've written it in german!

I will try these options together with our service contractor.

 

Thanks again!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: