Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Audit NMAP Question

This thread has been viewed 0 times

  • 1.  ClearPass Audit NMAP Question

    Posted Apr 15, 2013 07:06 AM

    Hi,

     

    I'm new to CPPM and would like some assistance with Device Auditing through NMAP.

     

    I would like to use auditing configuration in conjunction with MAB in order to further increase the veracity of device 'fingerprinting'.

    I'm intending to use the built in NMAP server to profile Cisco VoIP devices, along with various manufacturer printers.

     

    I'm concerned that DHCP fingerprints could be faked, and MAC (OUI) spoofed, so I'm hoping NMAP can do its own device fingerprinting, and I can also do another level on top, like matching specific known open ports to be almost 100% sure the device that is connecting is what it says it is.

     

    Could anyone point me in the direction of any information resources that would assist?

     

    For my testing I have created a NMAP audit server (local to CPPM) and selected 'Detect Host Operating System', 'Service Scan', 'UDP Scan', and 'TCP Syn Scan', however when I enable the Audit in my wired 802.1x service my access tracker has the following alert:

     


    Alerts for this Request

    Policy serverMissing required inputs to perform audit

     

    And prior to this under Output > Posture Reponse I saw:

     

    Avenda:Audit:Audit-Status

    AUDIT_INPROGRESS

     

     

    So it seems as if it can't successfully run on the target host.

     

    Any ideas how I could troubleshoot?

     

    Thanks,

     

    Ward

     



  • 2.  RE: ClearPass Audit NMAP Question

    EMPLOYEE
    Posted Apr 15, 2013 07:30 AM

    Please examine the "Prevent MAC Spoofing" document here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Default.aspx?EntryId=7962



  • 3.  RE: ClearPass Audit NMAP Question

    Posted Apr 16, 2013 08:49 PM

    Thanks for the reply!

     

    What I am interested in however is any configuration examples, or troubleshooting advice. I understand roughly how I should be configuring the NMAP policy, however an example of a best-practice configuration for auditing a phone or printer would be nice. Likewise, generic error messages and potential causes.

     

    Is anyone able to assist?



  • 4.  RE: ClearPass Audit NMAP Question

    EMPLOYEE
    Posted Apr 17, 2013 01:16 AM

    Ward,

     

    I think I know what you want.  Let me see if I can get someone to help.

     



  • 5.  RE: ClearPass Audit NMAP Question

    Posted May 28, 2013 05:41 PM

    CJoseph - Would you be able to forward me the information as well?  I came across this thread while searching for the same information.

     

    Thanks,
    Robert

     



  • 6.  RE: ClearPass Audit NMAP Question

    EMPLOYEE
    Posted May 28, 2013 07:01 PM

    One thing to remember is that most people don't realize or forget that when you are on a page you can click the help link in the top right corner and it will give you definitions and examples

     

    nmap1.png

    nmap2.png