Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
New Contributor

ClearPass Profile Conflict

Is there a way in clearpass to modify the device Catagory/OS Family/Name so ClearPass does not come up with a conflict again? Or worse yet ClearPass change the Device Catagory/OS Family/Name back to what it thinks the device is?

 

I thought CleartPass was a database, what it the point of modifying a device if the system is going to change it back!

11 REPLIES
Guru Elite

Re: ClearPass Profile Conflict

If the same finerprint is used again, it will use the same profile entry.

 

The reason it changes is that a profile conflict is a very important part of a network policy to determine if a user has attempted to spoof a MAC address.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass Profile Conflict

If I manually identify a device I do not want ClearPass changing the settings. I do not want CP telling me my Apply TV is an Aruba AP, nor do I want CP telling me an Apple watch is a smart iOS device.

So in short your telling me that CP will override any device ID I set?

Gary Naeger
Network & Systems Engineer
Planning, Research & Technology | Maryville University
650 Maryville University Drive, St. Louis MO 63141
(314) 529-9431
Gander Hall, Room 4A
gnaeger@maryville.edu

[New Logo and Tagline eps]
Frequent Contributor II

Re: ClearPass Profile Conflict

You are free to create any Endpoint attribute you need. I have some custom ones myself.

ClearPass is free to update any Profiling attribute it internally uses too.

 

tl;dr You need to create your own custom  attribute and perhaps open a TAC case on misidentifying fingerprints.


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Guru Elite

Re: ClearPass Profile Conflict

So if someone were to grab the AppleTV's MAC address and use it on their laptop to bypass network registration/security, you wouldn't want to know that?

This is a core feature.

 

If something is incorrectly being reprofiled, you should open a TAC case.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: ClearPass Profile Conflict

I do not want Apple TVs identified as Aruba APs.

I currently do not trust profiling information but it is not currently using DHCP information here.


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Guru Elite

Re: ClearPass Profile Conflict

Then a TAC case should be opened. That is not correct.

 

There's a difference between conflict detection and incorrect profiling.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass Profile Conflict

Ease of access it more important. I have firewalled my datacenter. If they look like an ATV the only place they can go is the Internet. Then any "Guest" or anyone on the secure wlan can access their device using airplay.

New Contributor

Re: ClearPass Profile Conflict

So i can apply a CP policy to a device based on an attribute? I will have to look into that a little more.

 

We track campus ATV's in JAMF (casper). Using CP and the mobility controller I have a policy/acl that if the device is identified as an ATV it has internet access only. Users on the guest network or secure network can use the ATV for presentation.

Guru Elite

Re: ClearPass Profile Conflict

AppleTV was just an example.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: