Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

bad profile job by Clearpass

This thread has been viewed 0 times

  • 1.  bad profile job by Clearpass

    Posted Nov 06, 2014 05:29 PM

    Is it normal for devices to be profiled incorrectly by Clearpass?  I had a machine that was behaving badly on the network it was profiled as a WinXP machine.  So I assumed it may have gotten compromised, however the machine turned out to be a Windows 8 laptop.  Why the bad profile? If it couldn't profile wouldn't it just say unknown rather then guess?

     

     



  • 2.  RE: bad profile job by Clearpass

    EMPLOYEE
    Posted Nov 06, 2014 05:31 PM
    Are there any virtual guests running on the device? Is the device dual-booted?


  • 3.  RE: bad profile job by Clearpass

    EMPLOYEE
    Posted Nov 06, 2014 05:31 PM
    Also, what did the controller profile it as.? You can see this on the Input tab under RADIUS in access tracker.


  • 4.  RE: bad profile job by Clearpass

    Posted Nov 06, 2014 07:08 PM

    darn, user is not on anymore, I will have to check when I see them next. Thanks for the help

     

     



  • 5.  RE: bad profile job by Clearpass

    Posted Nov 06, 2014 08:03 PM

    If ClearPass profiled it, the device should still be in the endpoint database even if the user is not online anymore.  

     

    Within the Endpoints Database (Configuration --> Identity --> Endpoints), have a look at the profile fingerprint for that MAC address to determine how it was categorized.  For example, this one was profiled by both DHCP and HTTP User Agent.

     

    cppm-profile-ginerprint.png

     

    Or as Tim suggests, check what the controller profiled it as as well in Access Tracker:

     

    cppm-controler-device-type.png