Security

Reply
MVP
Posts: 130
Registered: ‎07-13-2015

Clearpass DHCP fingerprinting values

[ Edited ]

Hey guys, 

i'm a bit confused atm, i'm trying to assign a role from DHCP fingerprint in clearpass but I can't find any documentation/examples on how to type in correctly the information in the value field.

I browsed to my iphone within the device tab and found the Fingerprints, then I created a rule using the ''CONTAINS'' operator and it's working fine. But, I would like to use ''EQUALS''.
test.png

 

I tried lot of different ways of typing in the Fingerprint, I also tried to copy the Input entry from the Access Tracker and paste it there, still not working.

Anyone here knows the exact syntax ?

Thank you !

ACMP, ACCP, BCNE
Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Clearpass DHCP fingerprinting values

[ Edited ]

You wouldn't use Fingerprints, you would use the Device Category, Device Name and/or Device OS Family options under Authorization:Endpoints Repository.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 130
Registered: ‎07-13-2015

Re: Clearpass DHCP fingerprinting values


cappalli wrote:

You wouldn't use Fingerprints, you would use the Device Category, Device Name and/or Device Type options under Authorization:Endpoints Repository.


Sorry, I forgot to mention that im using my Iphone for test purposes but eventually we will need to use the fingerprints for specific devices which are considered ''Unknown'' in the profiler.

ACMP, ACCP, BCNE
Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Clearpass DHCP fingerprinting values

Try using the full [" "] syntax.

 

Do you have the endpoints repository as an authorization source?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 130
Registered: ‎07-13-2015

Re: Clearpass DHCP fingerprinting values


cappalli wrote:

Try using the full [" "] syntax.

 

Do you have the endpoints repository as an authorization source?


I already tried using this syntax. Yes the repository is added, authentication is working fine when using ''CONTAINS''.

I also tried to copy/paste this whole string : apple.png

 

ACMP, ACCP, BCNE
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Clearpass DHCP fingerprinting values

So instead of this method which seems to be a bit of a hassle to manage, why not statically categorize those unknown endpoints into a known category OR add a custom attribute which you can call out in a service policy?

 

If there are unknowns, you can always forward them along to your Aruba SE or open up a case with TAC so that we can update them on the next fingerprint updates which happen twice a month.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 130
Registered: ‎07-13-2015

Re: Clearpass DHCP fingerprinting values


SethFiermonti wrote:

So instead of this method which seems to be a bit of a hassle to manage, why not statically categorize those unknown endpoints into a known category OR add a custom attribute which you can call out in a service policy?

 

If there are unknowns, you can always forward them along to your Aruba SE or open up a case with TAC so that we can update them on the next fingerprint updates which happen twice a month.


Well that's a lot of overhead, since everytime a new device of this type connects on the network I will need to categorize it or set an attribute. 

Thank you for your help, ill reach TAC with this issue. I just thought someone here could have known the exact syntax.

ACMP, ACCP, BCNE
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Clearpass DHCP fingerprinting values

If there are enough known context variables, you can automate the tagging of the custom attribute I explained earlier. For example if the OUI from the MAC address is consistent and the host name contain a consistent string, you could then use that logic to tag the endpoint.

If the DHCP options are unique to this endpoint, we should be able to update our fingerprint database in the profiler.
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 130
Registered: ‎07-13-2015

Re: Clearpass DHCP fingerprinting values


SethFiermonti wrote:
If there are enough known context variables, you can automate the tagging of the custom attribute I explained earlier. For example if the OUI from the MAC address is consistent and the host name contain a consistent string, you could then use that logic to tag the endpoint.

If the DHCP options are unique to this endpoint, we should be able to update our fingerprint database in the profiler.

Thanks for the answer, i'm combining MAC OUI and Vendor + CONTAINS field of the Fingerprint right now and it's working. It will be more than enough.

But i'm still curious about that syntax :)

ACMP, ACCP, BCNE
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Clearpass DHCP fingerprinting values

Sure...it's a ClearPass Entity Update enforcement profile that you would use during the authentication of these devices...

 

Screenshot 2015-08-06 16.27.54.png

Then create the "tag" you want to apply to this device...

 

Screenshot 2015-08-06 16.27.48.png

 

You can creat your own customer Endpoint attributes in Administration --> Dictionaries --> Attributes

 

Screenshot 2015-08-06 16.30.15.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: