10-03-2014 08:42 AM
I got an error that the attributes for some device were not extracted successfully when we were during profiling. The plan was to throw them to a different role it it was a smartdevice. Error will be something like "Failed to get value for attributes" for device os when we check access tracker.
Anyone encountered a similar problem before?
10-03-2014 08:43 AM
Is this a new device or one that exists already in the endpoints DB?
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
10-03-2014 08:43 AM - edited 10-03-2014 08:45 AM
That will happen when the device first authenticates and hasn't been profiled yet.
You'll need to
- enable the profiling option in your service and select smartdevice from the drop down menu.
- ensure that the endpoint database is an authorization source
- create a rule in your enforcement profile that checks to see if the profile attributes are present, and if they're not, put the user into a limited role that allows at least DHCP so profiling can occur.
10-03-2014 11:10 AM
As Seth pointed out this happens when it is a new device and ClearPass has not learned or profiled before
So if you are making policy decisions based on the profile information from the endpoint database the first time the device connects it won't hit any of the rules of your enforcement policy .
What you need to do is the following :
You need to add a catch all rule that if the device hasnt been profiled it will be allowed to get DHCP for brief time and then the device will get CoA and then next time it comes through it will hit whatever the rule you specified.
In order for this to work you need to configure ClearPass as DHCP relay and as cappalli said you need to add the endpoint DB as your authorization source
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
10-03-2014 07:13 PM
Thanks for the reply.
I had created a condition that the new device will
1) get dhcp assigned ip with dhcp relay pointing to clearpass for profiling
2) endpoint classification with coa to terminate the session if it is a smart device
3) assign the smartdevice to a byod role if it is a smart device after profiling
Let me check my settings again
10-03-2014 07:18 PM
10-04-2014 06:41 PM
Yup. It seems only some devices are affected. Maybe I have missed out some for certain Vlans. I am using vlan pooling so that might be the problem. I will verify again once get access to the system.
Thanks for the pointer :)