Security

Reply
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

[Tip] Using IF-MAP fingerprints to identify legacy devices

[ Edited ]

If you have IF-MAP turned up on the controller, you gain another profile source in ClearPass which can give you even more granular information about a device's operating system. (Configuring IF-MAP on a controller)

 

Here's a sample role map that lets you identify legacy operating systems that are no longer supported by the manufacturer. This can be beneficial if you are not using OnBoard or OnGuard and still want to isolate these legacy, vulnerable clients.

 

The IF-MAP data is stored in the Authorization:[Endpoints Repository] Fingerprint attribute. ClearPass is able to profile Windows version without the IF-MAP data, so we're just using "Device Name".

 

legacy-role-map.PNG

 

The role map is attached. You can import it directly to ClearPass or you can export your existing role map, copy the XML from the attached file and merge it with your role map. Then reimport.

 

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 497
Registered: ‎04-03-2007

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

Given that ifmap sends all HTTP strings and mDNS broadcasts to ClearPass, do you whether EVERY mDNS broadcast is sent to ClearPass, or is the controller regulating this as to not bombard ClearPass? (With lots of iOS/Mac devices, I would be worried enabling ifmap could overwhelm ClearPass...)

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

If you do a user-debug, it looks like it sends it everytime. We have had it turned up for about 6 months without any issues.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 497
Registered: ‎04-03-2007

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

Thanks, Tim.

In our experience, with airgroup enabled without enforce registration (in other words, flooding mDNS queries to clearpass), we?ve seen an additional 6,000-8,500 radius requests per minute. Our experience is that this cripples ClearPass. This type of activity is from where my question stemmed.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

For AirGroup enforcement, we are adding two additional servers to the cluster that will handle only AirGroup authorizations.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 497
Registered: ‎04-03-2007

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

Yup, we have 2 of our 6 subscribers handling airgroup (pilot) and captive portal / guest functions. The remaining 4 subscribers are doing .1X radius only.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

If you don't necessarily want to take action on these legacy devices, you can also use external tools like Splunk to create some metric dashboards with the data.

 

Simply add the logic to your role map to "tag" the device and be sure "Common.Roles" is being sent to syslog.

 

 

splunk_legacy-devces.jpg


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

Looks good. So if I want to create a clearpass user to use for the input if IF-MAP data, what clearpass privilege level does the user need to have?

 

Rgds

A

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: [Tip] Using IF-MAP fingerprints to identify legacy devices

API admin. You can use the Admin User repository.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: