11-06-2014 02:28 PM
Is it normal for devices to be profiled incorrectly by Clearpass? I had a machine that was behaving badly on the network it was profiled as a WinXP machine. So I assumed it may have gotten compromised, however the machine turned out to be a Windows 8 laptop. Why the bad profile? If it couldn't profile wouldn't it just say unknown rather then guess?
11-06-2014 02:31 PM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
11-06-2014 05:03 PM - edited 11-06-2014 05:06 PM
If ClearPass profiled it, the device should still be in the endpoint database even if the user is not online anymore.
Within the Endpoints Database (Configuration --> Identity --> Endpoints), have a look at the profile fingerprint for that MAC address to determine how it was categorized. For example, this one was profiled by both DHCP and HTTP User Agent.
Or as Tim suggests, check what the controller profiled it as as well in Access Tracker:
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX