Security

Reply
Occasional Contributor II
Posts: 26
Registered: ‎10-16-2013

Failed to get value for attributes during profiling

Hi all,

 

I got an error that the attributes for some device were not extracted successfully when we were during profiling. The plan was to throw them to a different role it it was a smartdevice. Error will be something like "Failed to get value for attributes" for device os when we check access tracker.

 

Anyone encountered a similar problem before?

 

Thanks.

 

Regards,

Victor

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Failed to get value for attributes during profiling

Is this a new device or one that exists already in the endpoints DB?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Failed to get value for attributes during profiling

[ Edited ]

That will happen when the device first authenticates and hasn't been profiled yet.

 

You'll need to

- enable the profiling option in your service and select smartdevice from the drop down menu.

- ensure that the endpoint database is an authorization source

- create a rule in your enforcement profile that checks to see if the profile attributes are present, and if they're not, put the user into a limited role that allows at least DHCP so profiling can occur.

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Failed to get value for attributes during profiling

As Seth pointed out this happens when it is a new device and ClearPass has not learned or profiled before

 

So if you are making policy decisions based on the profile information from the endpoint database the first time the device connects it won't hit any of the rules of your enforcement policy .

 

What you need to do is the following :

 

You need to add a catch all rule that if the device hasnt been profiled it will be allowed to get DHCP for brief time and then the device will get CoA and then next time it comes through it will hit whatever the rule you specified.

2014-10-03 14_06_57-ClearPass Policy Manager - Aruba Networks.png

 

In order for this to work you need to configure ClearPass as DHCP relay and as cappalli said you need to add the endpoint DB as your authorization source

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 26
Registered: ‎10-16-2013

Re: Failed to get value for attributes during profiling

Hi guys,

Thanks for the reply.

I had created a condition that the new device will
1) get dhcp assigned ip with dhcp relay pointing to clearpass for profiling
2) endpoint classification with coa to terminate the session if it is a smart device
3) assign the smartdevice to a byod role if it is a smart device after profiling

Let me check my settings again

Thanks :)
Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Failed to get value for attributes during profiling

Do you have helper addresses on your layer 3 interfaces pointing to clearpass?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 26
Registered: ‎10-16-2013

Re: Failed to get value for attributes during profiling

Hi Tim,

Yup. It seems only some devices are affected. Maybe I have missed out some for certain Vlans. I am using vlan pooling so that might be the problem. I will verify again once get access to the system.

Thanks for the pointer :)

Regards,
Victor
Search Airheads
Showing results for 
Search instead for 
Did you mean: