Security

If you have IF-MAP turned up on the controller, you gain another profile source in ClearPass which can give you even more granular information about a device's operating system. (Configuring IF-MAP on a controller)

 

Here's a sample role map that lets you identify legacy operating systems that are no longer supported by the manufacturer. This can be beneficial if you are not using OnBoard or OnGuard and still want to isolate these legacy, vulnerable clients.

 

The IF-MAP data is stored in the Authorization:[Endpoints Repository] Fingerprint attribute. ClearPass is able to profile Windows version without the IF-MAP data, so we're just using "Device Name".

 

 

The role map is attached. You can import it directly to ClearPass or you can export your existing role map, copy the XML from the attached file and merge it with your role map. Then reimport.

 

 

 

Given that ifmap sends all HTTP strings and mDNS broadcasts to ClearPass, do you whether EVERY mDNS broadcast is sent to ClearPass, or is the controller regulating this as to not bombard ClearPass? (With lots of iOS/Mac devices, I would be worried enabling ifmap could overwhelm ClearPass...)

If you do a user-debug, it looks like it sends it everytime. We have had it turned up for about 6 months without any issues.

Thanks, Tim.

In our experience, with airgroup enabled without enforce registration (in other words, flooding mDNS queries to clearpass), we?ve seen an additional 6,000-8,500 radius requests per minute. Our experience is that this cripples ClearPass. This type of activity is from where my question stemmed.

For AirGroup enforcement, we are adding two additional servers to the cluster that will handle only AirGroup authorizations.

Yup, we have 2 of our 6 subscribers handling airgroup (pilot) and captive portal / guest functions. The remaining 4 subscribers are doing .1X radius only.

If you don't necessarily want to take action on these legacy devices, you can also use external tools like Splunk to create some metric dashboards with the data.

 

Simply add the logic to your role map to "tag" the device and be sure "Common.Roles" is being sent to syslog.

 

 

Looks good. So if I want to create a clearpass user to use for the input if IF-MAP data, what clearpass privilege level does the user need to have?

 

Rgds

A

API admin. You can use the Admin User repository.

Was browseing around and found this again. Given that I also found it in 2014 methinks someething untoward happend when I switched IF-MAP on back then so immediately switched it off.

 

Times passed and we;ve now got a building clearpass cluster and mobility controller so if something goes wrong its only our building that get s screwed up.

 Two questions

 

1). Anyone else out there using IF-MAP in a production cluster and did you have to do anythig special to the clearpass end?

 

2).How do you check on clearpass that its actually donig something? The controller says its established a connection to 443 on our building master publisher, but then what ? Nothing in event or auth logs and no appropriate roles associated with an endpoint entry.

 

What debug logs do i needd to look in to see if cpm is processing if-map data?