Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass PXE boot and conflict equals true

This thread has been viewed 21 times

  • 1.  Clearpass PXE boot and conflict equals true

    Posted Jul 21, 2017 05:13 AM

    Hello,

     

    I get all the time on the endpoint the Conflict value of true for my corporate devices on the wired site.

     

    The reason is that PXE boot is used. So the DHCP finger print is different between the OS (windows 10 or 7) and the PXE discovery.

     

    If the device start it kan login by MAC-auth because of a special PXE attribute. If this is not used is uses 802.1x for normal authentication.


    How can i resolve this?



  • 2.  RE: Clearpass PXE boot and conflict equals true

    Posted Jul 21, 2017 06:31 AM

    Is it possible to disable profling (dhcp relay) from the PXE-boot vlan?



  • 3.  RE: Clearpass PXE boot and conflict equals true

    Posted Jul 21, 2017 07:29 AM

    No, this is not a option.

     

    The clients are in some cases placed in the same vlan.

    Inside clearpass the administrator must set a atribute by hand and than the PC kan doe a 1 time Pix boot inside the same valn als it will be put inside after a 802.1x authentication



  • 4.  RE: Clearpass PXE boot and conflict equals true

    EMPLOYEE
    Posted Jul 21, 2017 07:46 AM
    They should only be profiled as PXE when they actually PXE boot. How often are they doing this?


  • 5.  RE: Clearpass PXE boot and conflict equals true

    Posted Jul 21, 2017 08:14 AM

    I have two customurs with this issue (both are using PXE). 

     

    Customer A only one a month.

    Customer B daily. Every time the machine boot up. They didn't want to do anything manually so the PXE attribute is active all the time. 

     

    Normaly for my mac-auth service i hava a if conflict equals true "deny profile" at the top. This is not possible now because of the conflict. I can filter on the attribute but i would like a nice solution and not the issue on the endpoints.

     

    Also a ignore or accept of the conflict don't works very nice. They keep coming back.

     

    ------------------------------------------------------------------------
    HPE Master ASE | Aruba ACSA, ACCP, ACMP, ACEAP

     



  • 6.  RE: Clearpass PXE boot and conflict equals true

    EMPLOYEE
    Posted Jul 21, 2017 09:17 AM

    I'm not sure there's a solution for this. ClearPass is doing exactly what it's supposed to do.



  • 7.  RE: Clearpass PXE boot and conflict equals true

    Posted Jun 17, 2021 09:21 AM
    Hi,

    did anyone get a resolution for this ? am currently hitting this issue

    Cheers


    ------------------------------
    David Hurley
    ------------------------------

    Original Message


  • 8.  RE: Clearpass PXE boot and conflict equals true

    MVP EXPERT
    Posted Jun 18, 2021 04:57 AM
    would this be fixed by the global option  / profiler option shown below and setting it to true?  Not entirely sure it works  though as I'm sure I've still seen issues  even with it enabled. This is  in 6.9.x 

    A
    Parameter Name Parameter Value Default Value
    Ignore Conflict (Network Boot Agents)




    Original Message


  • 9.  RE: Clearpass PXE boot and conflict equals true

    Posted Jun 18, 2021 06:24 AM
      |   view attached
    Hmm, can't see the images?

    Have you tried the "Ignore Conflict (Network Boot Agents)" available on 6.9 (not sure when this specifically came in?)


    ------------------------------
    Derin Mellor
    ------------------------------

    Original Message