Security

Reply
Frequent Contributor I
Posts: 93
Registered: ‎04-09-2007

How long to fully profile an endpoint

Been looking at using endpoint profile data to auto allow certain devices to get limited connectivity... ie game consoles/printers etc without user intervention/registration

 

dhcp fingerprinting is enough for some devices , ie a 3ds

but playing with an amazon echo.... initially it is picked up as generic android device.

 

I know they'll eventually get profiled as home av/amazon/echo - assuming clearpass gets info from http headers etc....   so then is there a general provisioning role I can put devices in for ....1...5... or 10 minutes where they should have been fully profiled.   Does the provisioning role need to have any access - or just a http(s) redirect so clearpass can see any http(s) traffic it attempts and use that for fingerprinting a more specific profile?

 

Anyone doing anything like this with devices that need more than dhcp fingerprint to be fully identified?  what device and what have you found is required for full identification?

 

or is this a fool's quest and I need to get back to working on MacTrac 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: How long to fully profile an endpoint

Unfortunately it depends on the behavior of the device especially with so
many of these headless devices running Android on the back end. The
ClearPass Device Registration portal is highly recommended in university
environments as it adds user context and role based access controls.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: How long to fully profile an endpoint

If the Aruba Controller sees the http on the device first, you can forward that OS information via IFMAP to ClearPass:  http://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/CPPM-ifmap.htm?Highlight=ifmap

 

For example: using DHCP fingerprinting an ipad and an iphone look the same, but using HTTP User Agent Strings and mDNS broadcast information on the controller you can detect the difference and forward that information to ClearPass using ifmap.

 

Typically there is only a helper address pointing to clearpass, so it will only get DHCP fingerprint information that might only indicate "Android", unless the device opens a page on the clearpass device.  Forwarding http user agent string information from the controller could help.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 93
Registered: ‎04-09-2007

Re: How long to fully profile an endpoint

Definately looking at making a device registration portal - but wanted to see about making some things just "work"  vs having a bunch of 40Mhz "mysuperwificauseeduroamsuxors" ssid's on channel 4 show up in the dorms....  anything that I can do to make the official wifi work vs pushing users toward rogue AP's I think would be worth the effort.

 

that and I know how much the helpdesk loves to walk users through collecting  MAC addresses...  so even if I don't permit access - being able to identify the correct mac to register from the backend would be useful as well.

Frequent Contributor I
Posts: 93
Registered: ‎04-09-2007

Re: How long to fully profile an endpoint

Cool - had not come across ifmap before - I will look into that.... but also need to play with the echo more.... as I recall - clearpass saw it as an android device.... then I used my iphone to set it up on our guest ssid - so the echo proxied the webauth from the iphone - the controller then saw the device as an iphone.....  :)

 

so I guess with ifmap cppm would then think its an iphone....


perhaps the next "native" request from the then authenticated echo would have the correct user-agent??

 

 

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: How long to fully profile an endpoint

Try it and let us know.  The OS should show up in the user table.  If the device does not communicate over port 80 using http requests, the controller cannot identify it further, however.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 93
Registered: ‎04-09-2007

Re: How long to fully profile an endpoint

So I added this as a registered device... and it has been active - used it a few times - but still my endpoint DB just shows it as a generic android device... 

 

I'll try to see what traffic is coming from the device... I've seen others in my endpoint DB get more specifically profiled - and these likely from devices that have not been able to get full access.

 

I'll add more updates as I learn more

Search Airheads
Showing results for 
Search instead for 
Did you mean: