2 weeks ago
I cant understand how Clearpass Policy Manager works on endpoint classification using NMAP profiling.
If I understand right, there are some predefined signatures that define mappings between NMAP scan results (in terms of host.services , host.ports) and labels (Device Family, Device Name,etc) you want apply to endpoint.
It seems working fine, and usually predefined signatures match 99% fine (device is identified proprerly). On other hands al lot of devices aren't matched by those signatures, so it becomes pretty common need to define custom signatures.
I followed guide "ClearPass Profiling TechNote V1.2" and I added custom signaures (my test case is on Printer identification).
More or less workflow is:
- Create new custom categoty (i.e. "Custom printer 1")
- Find an endpoint already scanned by NMAP but classified as "unknow"
- Import its signature (o part of it) as template into newly created custom category
(repeat this steps for all you custom category)
It makes sense... but it seems doesn't working :-(
In fact next NMAP scan puts all devices randomly on same custom category even if signature (get from device) doens't match template.