Security

Reply
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

How to Profile using MAC OUI

Can anyone direct me on how to setup a service that will profile a device based on MAC OUI? 

 

Thanks,

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: How to Profile using MAC OUI

You can map OUI prefixes to ClearPass roles by using a role map. Example below:

 

role-map-oui.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: How to Profile using MAC OUI

[ Edited ]

Screen Shot 2015-02-11 at 10.39.28 PM.pngThanks Tim, is there a way to have the device profiled into the Identity Endpoints database with MAC OUI?

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: How to Profile using MAC OUI

You mean use the MAC OUI to populate the profile information? No there is
not. Complete profile information cannot be derived from just the MAC OUI
and the profile information. The category, OS and device name can only be
populated from automagic fingerprinting (DHCP fingerprints, subnet scans,
Onboard, ActiveSync, etc) or by manually updating the attributes in the
database. You cannot currently update these values using a post-auth update.



You could however, create a custom attribute that you could update using a
Post-Auth endpoint update after successful authentication.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: How to Profile using MAC OUI

Tim,

 

That is good to know that the MAC OUI alone cannot populate the profile info.  I have a bunch of static IP device PLCs (Programmable Logic Controller) by a common vendor that need to be profiled immediately when the device connects to the network. I can't wait for an SNMP Poling cycle (6 hr) for CPPM to profile the device.  After profiling the device and assigning it Role of PLC, I want to use MAC AUTH Service to assign appropriate network access (like, VLAN, dACL, etc...).  How could this be accomplished?

 

Thanks for your help.

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: How to Profile using MAC OUI

[ Edited ]

- Create a ClearPass TIPS role: DEVICE_PLC

 (Configuration > Identity > Roles > Add)

 

- In your MAC-auth service, add the following rule to the role map:

mac-prefix.PNG

 

- Then add a rule to your enforcement policy like belowreplacing the enforcement profile(s) with the appropriate action.

plc-enforcement.PNG

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: How to Profile using MAC OUI

Tim,

 

That worked.  Thanks for the TIP!

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: How to Profile using MAC OUI

I see what you did there! 

Glad it worked. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: