Security

Is there any way to create custom device fingerprints?

You will need to turn on DHCP debugging to see what DHCP fingerprint the device is passing.  You can they write your derivation rules based on those fingerprint strings.

Are you referring to setting up dhcp fingerprinting on a controller? I'm looking to do this in Clearpass for wired and wireless devices.

I want to be able to take multiple attributes that identify a device and use it to recognize devices in my network that aren't in the fingerprint dictionary. I'm trying to avoid adding all of these devices to static host lists or the endpoint repository.

Compnerd, 

 

You can open a TAC case for any fingerprints that don't appear in the database.  We have to QA them before they are added, however.

I've posted an "Idea" to create custom fingerprints:

 

http://community.arubanetworks.com/t5/Products-and-Technology/ClearPass-Create-Endpoint-Fingerprints/idi-p/64660

 

Please kudos the suggestion if you like it.

---

@cjoseph wrote:

Compnerd, 

 

You can open a TAC case for any fingerprints that don't appear in the database.  We have to QA them before they are added, however.

---

 

Why isn't there an option to create your own fingerprints? Passing any and all such requests through TAC seems like a major waste of time? And honestly, what customer can wait for your QA process?

 

Gave kudos for your idea there compnerd.. maybe there is a valid reason why we can't add those fingerprints ourselves but thazt reason elludes me.

---

@KoenV wrote:

---

@cjoseph wrote:

Compnerd, 

 

You can open a TAC case for any fingerprints that don't appear in the database.  We have to QA them before they are added, however.

---

 

Why isn't there an option to create your own fingerprints? Passing any and all such requests through TAC seems like a major waste of time? And honestly, what customer can wait for your QA process?

 

Gave kudos for your idea there compnerd.. maybe there is a valid reason why we can't add those fingerprints ourselves but thazt reason elludes me.

---

That is not true.  It is much more than just adding signatures; there is a QA process to make sure that no other devices have the similar signature as well as put them into categories that can also be used in the auth process.  Signatures are updated constantly and automatically in CPPM and it does not take months; it happens fairly quickly.

 

In my opinion, the majority of the users just want signatures to be there, correct and categorized properly.  They do not want to be creating it themselves.  On the controller side, identifying, creating and ensuring that duplicate devices do not have the same signatures takes some work, sometimes and can be frustrating.  I would rather allow Aruba to qualify the signatures so that devices can be identified and categorized properly.  For every user that wants to create their own signature, there are 100 that just want it to work properly.

I can certainly see the benefit in having Aruba vet the signatures, but I think flexibility would be nice.  I believe Cisco saw the need for this which is why it's available in ISE.

 

As far as endpoing profile fingerprints go, my understanding is that they're updated monthly.  I submitted a fingerprint for a Polycom phone and an engineer in Sunnyvale indicated that the fingerprint would not make it in until the end of the month when the the endpoint profile fingerprints are updated.  This falls in line with what I've seen under Software Updates.  The "last updated" time has been falling on the last day of the month consistently.  IMO, this is too long.  I'm sure there's a reason for it, though.

Please open a feature request in the ideas portal.