Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Procedure for submitting dhcp signatures for unknown devices into e dpoint database

This thread has been viewed 0 times

  • 1.  Procedure for submitting dhcp signatures for unknown devices into e dpoint database

    Posted Nov 14, 2014 05:57 AM

    We're about to roll out a new family of switches which will use our clearpass cluster for both mac and 802.1x authentication. Our old way of supporting wired authentication is via freeradius and a whole batch of flat text files that tell FreeRadius which vlan to drop a client device into.

     

    While I can set up an enforcement policy to assign a named vlan based upon  endpoint database contents, as we can't locally add dhcp signatures (can we?) what are the procedures for submitting new dhcp fingerprints to Aruba and how long would it take to see a clearpsss endpoint profile  update reflecting our updates?

     

    Rgds

    Alex

     



  • 2.  RE: Procedure for submitting dhcp signatures for unknown devices into e dpoint database

    EMPLOYEE
    Posted Nov 14, 2014 06:32 AM
    You can override endpoints with a different fingerprint but you cannot add fingerprints. To request an addition, open a TAC case.


  • 3.  RE: Procedure for submitting dhcp signatures for unknown devices into e dpoint database

    Posted Nov 14, 2014 07:06 AM

    Ah!

    I guess that's not going to be a quick process then. We seem to have a lot of strange  Building Management  or A/V devices that we'll need to categorise in some manner so that we can assign them to the appropriate VLAN. Would be a pain if we have to edit every individual client device

    A



  • 4.  RE: Procedure for submitting dhcp signatures for unknown devices into e dpoint database

    EMPLOYEE
    Posted Nov 14, 2014 07:08 AM
    How were you handling them pre-ClearPass? Is there a database you can pull data from?


  • 5.  RE: Procedure for submitting dhcp signatures for unknown devices into e dpoint database

    EMPLOYEE
    Posted Nov 15, 2014 03:20 AM

    You can work with your local Clearpass SE or SE. Depending on how many devices that are not showing up profiled they might be able to get them submited and added to the next update. 

     

    The enpoint updates go out usually every two weeks unless there are a large amount that need to be pushed. 

     

    Tim is correct you will still need to submit a screen shot of the DHCP fingerprint that is at the bottom of the endpoint and what it should show up as in a TAC case so the items can be tracked and profiled correctly. 



  • 6.  RE: Procedure for submitting dhcp signatures for unknown devices into e dpoint database

    Posted Nov 15, 2014 03:55 AM
    Thanks for the info.previous way wasn't really representative of real device types as identified by dhcp. Trying to start afresh using what's avail in clearpass / mobility controllers wherever possible.

    Just to go back to windows ls detection. Under what conditions does clearpass just return a device name of Windows?
    At one point I had 10 out of 11k windows devices. Might be a coincidence but after turning on if-map this turned into 150 in a matter of mins. As I mentioned previously (different thread) out of the initial 10 we knew that most of them were either win 7 or win 8 machines

    Rgds
    Alex