Security

Reply
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Procedure for submitting dhcp signatures for unknown devices into e dpoint database

We're about to roll out a new family of switches which will use our clearpass cluster for both mac and 802.1x authentication. Our old way of supporting wired authentication is via freeradius and a whole batch of flat text files that tell FreeRadius which vlan to drop a client device into.

 

While I can set up an enforcement policy to assign a named vlan based upon  endpoint database contents, as we can't locally add dhcp signatures (can we?) what are the procedures for submitting new dhcp fingerprints to Aruba and how long would it take to see a clearpsss endpoint profile  update reflecting our updates?

 

Rgds

Alex

 

Guru Elite
Posts: 8,171
Registered: ‎09-08-2010

Re: Procedure for submitting dhcp signatures for unknown devices into e dpoint database

You can override endpoints with a different fingerprint but you cannot add fingerprints. To request an addition, open a TAC case.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Re: Procedure for submitting dhcp signatures for unknown devices into endpoint database

Ah!

I guess that's not going to be a quick process then. We seem to have a lot of strange  Building Management  or A/V devices that we'll need to categorise in some manner so that we can assign them to the appropriate VLAN. Would be a pain if we have to edit every individual client device

A

Guru Elite
Posts: 8,171
Registered: ‎09-08-2010

Re: Procedure for submitting dhcp signatures for unknown devices into endpoint database

How were you handling them pre-ClearPass? Is there a database you can pull data from?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Procedure for submitting dhcp signatures for unknown devices into endpoint database

You can work with your local Clearpass SE or SE. Depending on how many devices that are not showing up profiled they might be able to get them submited and added to the next update. 

 

The enpoint updates go out usually every two weeks unless there are a large amount that need to be pushed. 

 

Tim is correct you will still need to submit a screen shot of the DHCP fingerprint that is at the bottom of the endpoint and what it should show up as in a TAC case so the items can be tracked and profiled correctly. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Re: Procedure for submitting dhcp signatures for unknown devices into endpoint database

Thanks for the info.previous way wasn't really representative of real device types as identified by dhcp. Trying to start afresh using what's avail in clearpass / mobility controllers wherever possible.

Just to go back to windows ls detection. Under what conditions does clearpass just return a device name of Windows?
At one point I had 10 out of 11k windows devices. Might be a coincidence but after turning on if-map this turned into 150 in a matter of mins. As I mentioned previously (different thread) out of the initial 10 we knew that most of them were either win 7 or win 8 machines

Rgds
Alex
Search Airheads
Showing results for 
Search instead for 
Did you mean: