Security

Reply
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

MAC Auth and Profiling Static IP Devices

Is there any documentation/tutorials that walks you through how to do MAC authentication on non 802.1x devices that have static IP addresses?  I am looking to build a MAC Auth service that will profile various devices (PLCs, cameras, routers, video decoders) and put them onto the private network, and force non 802.1x computers (Guest visitors/vendros) to an internet only VLAN.

 

Is there any docs that show how to build such a service?  I understand there are various to profile a device (NMAP, SNMP, NESUS, MAC OUI), but how do you use these methods in a service?

 

Thanks for your help ahead of time.

 

Mark

Guru Elite
Posts: 8,795
Registered: ‎09-08-2010

Re: MAC Auth and Profiling Static IP Devices

Does this help?

 

mthiel1.PNG

 

mthiel2.PNG

 

mthiel3.PNG

 

mthiel4.PNG

 

mthiel5.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: MAC Auth and Profiling Static IP Devices

Thanks Tim.  It does help, but I am not sure what the enforcement profile (ROLE_PROFILE) look like.  If not too much trouble, can you show how that profile is built? I am looking to see how the device is profiled and can be classified as a certain type of device.  There must something else that needs configured to determine the device type.  I would assume if you used SNMP or NMAP that there is configurations that can read into a response to determine the device type. 

 

Am I even in the ballpark on this works?

 

Thanks again for taking the time to show me the screenshots above.

Guru Elite
Posts: 8,795
Registered: ‎09-08-2010

Re: MAC Auth and Profiling Static IP Devices

The profile role is just a controller role that only allows DHCP only. This allows profiling to occur and then once ClearPass gets the initial profile, it will bump the user so that they can authenticate against other rules in your enforcement policy. 

Same idea with nmap. You can give the device an audit state based on rules you set. So you could give temporary Internet only access until a device was audited or profile and then change the devices role. 


There will be some additional profiling options in the upcoming 6.5 release so stay tuned for that.


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: MAC Auth and Profiling Static IP Devices

Thanks Tim,

 

I am just trying to understand how to use something like the NMAP feature to further profile and change the access of a static device.

Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: MAC Auth and Profiling Static IP Devices

[ Edited ]

With MAC AUTH is there a way to give different device types different network access.  For example:

 

If I have an Security camera using MAC auth, can I allow it to connect to the internal network VLAN A, and then have guest user's PC using MAC AUTH and configure them to use VLAN B.

 

If so, how do you get the device profiled to know if it is a security camera versus a guest PC?

Guru Elite
Posts: 8,795
Registered: ‎09-08-2010

Re: MAC Auth and Profiling Static IP Devices

This is done via DHCP profiling. Do you have helper addresses configured to point to ClearPass? 

Once the device is profiled, you map the device category/family/device name (derived from the profile) to an enforcement profile. The enforcement profile(s) are what get sent down to the switch/controller. 

This is what's shown in the second to last screenshot above. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: MAC Auth and Profiling Static IP Devices

[ Edited ]

Thanks Tim.  That is my problem the endpoint is not getting profiled.  It is a static IP address device.  It will never send a DHCP request.  I have the helper-address pointing to ClearPass and that works well for PCs and other devices doing DHCP. 

 

How do you get a static IP address device profiled?

 

profiled.jpg

Guru Elite
Posts: 8,795
Registered: ‎09-08-2010

Re: MAC Auth and Profiling Static IP Devices

Gotcha. You can use subnet scanning and also Cisco Device Sensor. 

Take a look here 

http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/15505/1/Cisco%20Device%20Sensor%20Reference%20Configuration%20for%20CPPM%20Profiling.pdf

Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: MAC Auth and Profiling Static IP Devices

[ Edited ]

Tim, I have seen this doc, but doesn't help my situation with something like a PLC (Programmable Logic Controller).    But the PLC does support SNMP.  Isn't there a way to have CPPM query the endpoint via SNMP (public) to get back info to profile it.  I am looking for seomthing like this.  Is that possible or am I barking up the wrong tree?

 

I am trying to determine if there are automated ways to profile static IP address devices immediately when they connect, or am I going to have to maintain some sort of Static Host Table. 

 

Doesn't the subnet scan happen at pre-defined time intervals?

Search Airheads
Showing results for 
Search instead for 
Did you mean: