Security

Hi:

I'm using Clearpass guest to let students self-register their gaming devices.

Then a policy checks for the string "Gaming Console" in the endpoint_profile_device_category field.

So far, so good.

But there are a number of devices that doesn't account for. Wireless TV's for example.

 

There aren't so many devices (yet) that it would be a burden to whitelist these manually. What's the best way to do this?

 

I notice a "role_name" field. Can I create custom role names and create a rule in my policy based on that role name?

 

Other ways to accomplish this?

 

Thanks,

Tony

 

In your enforcement, check the Endpoints Repository category using the Matches Any option and select the appropriate categories

Hi Tim:

I'm not seeing a matches any option anywhere. Can you provide a screenshot?

 

Also, is it possible to create custom roles?

 

Thanks,

Tony

Sorry, you'd need to do a custom role and do a role map for this. Then use that role in your enforcement policy.

 

Hi Tim:

Thanks for the reply and the screenshot!

 

My setup looks very much like the one you provided, except I'm only looking for Game Consoles.

I'd like to allow those other device categories on the network (Home Audio/Video, Settop Box).

Are those being profiled automatically, or did you add those manually?

 

I've only seen Game Console show up in my profiled devices.

 

Thanks,

Tony

 

 

Those are built in profile categories. 

 

 

 

OK, thanks.

 

So let me revise my question.

I'd like to allow gaming devices, smaht TV's (:-)), etc. on the network.

 

But some gaming consoles, TV's, etc. don't get profiled correctly.

In fact, the fields like endpoint_profile_device_category don't even show up when I look at the device details.

 

What do you do with these devices?

Do you have a process for them to be manually authorized?

Is there a way to manually profile/categorize it as a gaming device, TV, etc?

 

Thanks,

Tony

 

Are you requiring the users to register them in MACTrac? If so, the device is then authorized.

 

You can manually change a profile in the endpoint database by selecting an option from the dropdowns of Category, OS Category and Device Name. 

Ah, OK.

I was looking at the device in CPPM Guest.

I see where I can change those properties in CPPM.

 

But now, problem next:

 

When I try to change an endpoint I get the message: No Endpoints are updated. Endpoints which are already profiled only can be updated.

 

Thanks,

Tony

 

So the devices you are looking at have not been profiled yet?

 

Do you have a DHCP helper address pointed to ClearPass for the appropriate subnets?

Hi Tim:

Thanks again for your reply.

 

I'm getting it now (I think).

 

Some of my devices don't show the profiling information, but those haven't yet tried to connect to the gaming network.

 

If they connect and match one of the categories - all is well.

If they connect and fail to match a category - at that point I can manually change the category, if it's an allowed device.

 

Does this seem like the workflow you're going through?

 

Thanks,

Tony

 

You'll want to put a rule at the top that's checks if a Device Category not_exists then put the device into a profile role that allows at least DHCP and DNS.

In your service, enable the profile option and select the device categories that you want to make sure her profiled.

Once the device is profiled, it will send a CoA forcing a reauth so it will get the correct role. The whole process takes around 3 seconds and users don't usually notice.

Thanks for that tip. I will create that rule.

 

It's been working without that rule, but it's been somewhat flakey.

Hopefully that will help.

 

Thanks,

Tony

Hi Tim:

.... just getting back to this.

 

I'm OK with the first part: putting a rule in the policy, and assigning a profile.

 

But I'm not sure where to do this:

In your service, enable the profile option and select the device categories that you want to make sure her profiled.

 

Can you point me in the right direction?

 

Thank you,

Tony