Security

Reply
New Contributor

How Clearpass does NMAP fingerprinting profile match?

Hello,

 

I cant understand how Clearpass Policy Manager works on endpoint classification using NMAP profiling.

 

If I understand right, there are some predefined signatures that define mappings between NMAP scan results (in terms of host.services , host.ports) and labels (Device Family, Device Name,etc) you want apply to endpoint.

 

It seems working fine, and usually predefined signatures match 99% fine (device is identified proprerly). On other hands al lot of devices aren't matched by those signatures, so it becomes pretty common need to define custom signatures.

 

I followed guide "ClearPass Profiling TechNote V1.2" and I added custom signaures (my test case is on Printer identification). 

 

More or less workflow is:

 

- Create new custom categoty (i.e. "Custom printer 1")

- Find an endpoint already scanned by NMAP but classified as "unknow"

- Import its signature (o part of it) as template into newly created custom category

 

(repeat this steps for all you custom category)

 

It makes sense... but it seems doesn't working :-(

 

In fact next NMAP scan puts all devices randomly on same custom category even if signature (get from device) doens't match template.

 

Any Idea?

 

Regards.

 

Nicola

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: