Security

Reply
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

bad profile job by Clearpass

Is it normal for devices to be profiled incorrectly by Clearpass?  I had a machine that was behaving badly on the network it was profiled as a WinXP machine.  So I assumed it may have gotten compromised, however the machine turned out to be a Windows 8 laptop.  Why the bad profile? If it couldn't profile wouldn't it just say unknown rather then guess?

 

 

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: bad profile job by Clearpass

Are there any virtual guests running on the device? Is the device dual-booted?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: bad profile job by Clearpass

Also, what did the controller profile it as.? You can see this on the Input tab under RADIUS in access tracker.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: bad profile job by Clearpass

darn, user is not on anymore, I will have to check when I see them next. Thanks for the help

 

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: bad profile job by Clearpass

[ Edited ]

If ClearPass profiled it, the device should still be in the endpoint database even if the user is not online anymore.  

 

Within the Endpoints Database (Configuration --> Identity --> Endpoints), have a look at the profile fingerprint for that MAC address to determine how it was categorized.  For example, this one was profiled by both DHCP and HTTP User Agent.

 

cppm-profile-ginerprint.png

 

Or as Tim suggests, check what the controller profiled it as as well in Access Tracker:

 

cppm-controler-device-type.png

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: