Security

Reply
Aruba
Posts: 1,526
Registered: ‎06-12-2012

Device conflict

As you know we used to have the rule in the early 6.0 releases where you could check for device conflict. 

 

In 6.4 that feature has been re-enabled.

 

  • Conflict triggers

–Fingerprint from same source changing over time resulting in two different device profiles

  • Profiled as Computer, but assigned MAC address of a Printer
  • If old category and new category differ, conflict flag set to TRUE

–Fingerprint from different sources resulting in two different device categories

  • Profiled as Computer from DHCP but SmartDevice from HTTP
  • Profiler will check fingerprint dictionary to resolve disparity
  • If device category different from dictionary, conflict flag set to TRUE
  • Additions to tips_endpoint_profiles

–conflict (boolean)

–other_category (varchar(100))

–other_family (varchar(100))

–other_name (varchar(100))

  • These are available as authorization attributes

 

conflict1.png

 

 

 

conflict2.png

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Device conflict

great, nice to see it return.

Occasional Contributor I
Posts: 5
Registered: ‎10-30-2014

Re: Device conflict

[ Edited ]

Hi,

 

If there is a Conflict the MAC Auth doesn't fail automatic or ? I still need to put in a Rule in my Enforcment or ?

 

Rule would be like:

 

Conditions:

Authorization:[Endpoints Repositroy]:Conflict EQUALS true

 

Actions:

[RADIUS_CoA] [Aruba Terminate Session]

 

thanks a lot

Martin

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Device conflict

Your logic is correct. You will need to put it at the top of your enforcement. Personally I would create a captive portal role to tell the user why they cannot connect or they will just keep trying to connect then call the help desk.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Moderator
Posts: 457
Registered: ‎11-09-2012

Re: Device conflict

In 6.5 (shipping later this month) we will have the ability to trigger an automatic CoA when we detect a conflict.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Device conflict

things just get better :)

Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Device conflict

Has this feature been added? If so, how do you incorporate it in your guest MAC authentication service for instance?

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Device conflict

you should be able to use the device conflicat category and based on that assign a different role or perform some other action.

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Device conflict

i tried getting a device in conflict status last week, but were unable to make it work. using version 6.5.4 btw.

 

i first connected with a windows laptop, was profiled correctly, fingerprint clear. then i reboot with a linux boot usb and again it was profiled correctly, only nothing showed up for conlict or such in the endpoint repository.

 

as both were main category computer it might not have been enough to trigger the conflict, would be nice if we get some more details on how it exactly works, so i also changed the MAC address of the laptop of that of a Thinclient and tried to auth. again this auth worked fine, the entry in the end point repository was updated with the linux computer hostname, but no conflict.

 

so anyone got this working (the case with DHCP finger print as method, not difference between HTTP en DHCP method) and can provide some more information on your setup?

 

as a side note it is mentioned we can do a CoA on conflict, but i don't see the category conflict on the profiling tab. i also assume i don't need the profiling tab in the service to get the conflict status enabled on the end point repository.

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: Device conflict

If you had changed it to something like a printer, the conflict should have been activated.

Sent from Nine

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: