Security

I currently have the enforcement policy looking for a custom attribute on the endpoint called "smart onboard." If that attribute = "yes" then the device will be redirected to OnBoard and the process works great. The customer doesn't want to onboard all smart devices at the moment. 

 

However, after the device is OnBoarded, the custom attributes are overwritten by the OnBoard data. Is there a way to make sure the custom attributes don't get overwritten?

Are the custom attributes named the same thing is the Onboard attributes, or are the custom attributes named something different, but are just deleted?

 

the attributes are not named the same thing and just get overwritten/deleted.

The ClearPass applications use the api to access policy manager which uses a destructive add. We experience this when a user connects to our dot1x network and then registers as a guest, all the custom attributes are blown away for the record.

Any way to get around this? 

OK.  Can you try to use context about these devices from another source and NOT rely on a custom attribute...or if you DO use it, have another way to distinguish a post-onboarded device.  For example the auth method = EAP-TLS or some identifier in the cert.

 

To move away from using a custom attribute, try leveraging the context of the user using AD memberof or using a static host list (MAC addresses) OR use device profiler information...

 

Just some initial thoughts...

Here is my feature request. Please promote it.

 

https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LEWs

Thanks Cappalli I promoted it. 

 

Ultimately yes, AD attributes such as group membership should be used. This however is somewhat of a POC so the need to pick and choose devices based on a custom attribute is needed. 

---

@jclingan wrote:

Thanks Cappalli I promoted it. 

 

Ultimately yes, AD attributes such as group membership should be used. This however is somewhat of a POC so the need to pick and choose devices based on a custom attribute is needed. 

---

jclingan,

 

The Endpoint database is indexed primarily by the mac address.  Just create a static host list of all the mac addresses that you want to indicate has this attribute.  You can then compare the calling-station-id of the device to the static host list.  If you only have one attribute, just create a static host list with all the mac addresses that have that attribute and then compare.

 

 

I understand this can be done. Is there a way to easily add all endpoints with attribute "xyz" to a static host list without having to go through and select each mach address? That's pretty cumbersome. 

You can import a static host list in XML form

 

Here is an example of one. You just need to add the mac address in the list seperated by , and a space.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Thu Jan 02 22:09:27 CST 2014" version="6.3"/>
  <StaticHostLists>
    <StaticHostList description="" name="Aruba AP Mac" memberType="MACAddress" memberFormat="list" members="00:24:6c:cd:83:c4, 00:0b:86:82:60:97"/>
  </StaticHostLists>
</TipsContents>