Security

Reply
Frequent Contributor II

bad profile job by Clearpass

Is it normal for devices to be profiled incorrectly by Clearpass?  I had a machine that was behaving badly on the network it was profiled as a WinXP machine.  So I assumed it may have gotten compromised, however the machine turned out to be a Windows 8 laptop.  Why the bad profile? If it couldn't profile wouldn't it just say unknown rather then guess?

 

 

Guru Elite

Re: bad profile job by Clearpass

Are there any virtual guests running on the device? Is the device dual-booted?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: bad profile job by Clearpass

Also, what did the controller profile it as.? You can see this on the Input tab under RADIUS in access tracker.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: bad profile job by Clearpass

darn, user is not on anymore, I will have to check when I see them next. Thanks for the help

 

 

Aruba

Re: bad profile job by Clearpass

If ClearPass profiled it, the device should still be in the endpoint database even if the user is not online anymore.  

 

Within the Endpoints Database (Configuration --> Identity --> Endpoints), have a look at the profile fingerprint for that MAC address to determine how it was categorized.  For example, this one was profiled by both DHCP and HTTP User Agent.

 

cppm-profile-ginerprint.png

 

Or as Tim suggests, check what the controller profiled it as as well in Access Tracker:

 

cppm-controler-device-type.png

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: