Security

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

OnBoarding overwrites custom endpoint attributes

I currently have the enforcement policy looking for a custom attribute on the endpoint called "smart onboard." If that attribute = "yes" then the device will be redirected to OnBoard and the process works great. The customer doesn't want to onboard all smart devices at the moment. 

 

However, after the device is OnBoarded, the custom attributes are overwritten by the OnBoard data. Is there a way to make sure the custom attributes don't get overwritten?

Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: OnBoarding overwrites custom endpoint attributes

Are the custom attributes named the same thing is the Onboard attributes, or are the custom attributes named something different, but are just deleted?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: OnBoarding overwrites custom endpoint attributes

the attributes are not named the same thing and just get overwritten/deleted.

Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: OnBoarding overwrites custom endpoint attributes

The ClearPass applications use the api to access policy manager which uses a destructive add. We experience this when a user connects to our dot1x network and then registers as a guest, all the custom attributes are blown away for the record.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: OnBoarding overwrites custom endpoint attributes

Any way to get around this? 

Regards,

Josh
___________
ACMP, ACCP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: OnBoarding overwrites custom endpoint attributes

OK.  Can you try to use context about these devices from another source and NOT rely on a custom attribute...or if you DO use it, have another way to distinguish a post-onboarded device.  For example the auth method = EAP-TLS or some identifier in the cert.

 

To move away from using a custom attribute, try leveraging the context of the user using AD memberof or using a static host list (MAC addresses) OR use device profiler information...

 

Just some initial thoughts...

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: OnBoarding overwrites custom endpoint attributes

[ Edited ]
 


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: OnBoarding overwrites custom endpoint attributes

Here is my feature request. Please promote it.

 

https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LEWs


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: OnBoarding overwrites custom endpoint attributes

Thanks Cappalli I promoted it. 

 

Ultimately yes, AD attributes such as group membership should be used. This however is somewhat of a POC so the need to pick and choose devices based on a custom attribute is needed. 

Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: OnBoarding overwrites custom endpoint attributes


jclingan wrote:

Thanks Cappalli I promoted it. 

 

Ultimately yes, AD attributes such as group membership should be used. This however is somewhat of a POC so the need to pick and choose devices based on a custom attribute is needed. 


jclingan,

 

The Endpoint database is indexed primarily by the mac address.  Just create a static host list of all the mac addresses that you want to indicate has this attribute.  You can then compare the calling-station-id of the device to the static host list.  If you only have one attribute, just create a static host list with all the mac addresses that have that attribute and then compare.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: