Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Manual New Endpoint Profiling in ClearPass

This thread has been viewed 26 times

  • 1.  Manual New Endpoint Profiling in ClearPass

    Posted Apr 13, 2022 09:22 AM
    Been having some challenges rolling out endpoint profiling to devices that do not pull DHCP addresses. Our policy flow dictates that MAC auth devices must be profiled and additionally verified access based on the profile. 

    I have found a script that allows you to setup a page under the guest module to profile devices manually which works. Unfortunately that script requires system admin credentials to be a part of the script. Anyone with access to that page who is able to view the source can find those credentials. So to me that solution is a no go.

    https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=fcdc5fae-f643-4c2d-a5e4-8d77730f8235

    Does anyone have any suggestions on profiling device manually that cannot be profiles via DHCP or other means?

    Thanks,
    Chris

    ------------------------------
    Christopher Calhoun
    ------------------------------


  • 2.  RE: Manual New Endpoint Profiling in ClearPass

    Posted Apr 13, 2022 11:08 AM
      |   view attached
    This is difficult without a custom solution.

    Even with 'active' profiling it's the chicken or the egg situation. You can't scan a device (NMAP fingerprinting for example) unless it's on the network already. And you would be running the scan once per day at best.

    What type of devices are they?

    ------------------------------
    Regards,

    Brett V
    ------------------------------

    Attachment(s)

    pdf
    Aruba ClearPass Active Profiling.pdf   3.46 MB 1 version
    Original Message


  • 3.  RE: Manual New Endpoint Profiling in ClearPass

    EMPLOYEE
    Posted May 03, 2022 10:05 AM
    You may be successful in creating an admin/operator profile that has only rights to change these attributes, which is an improvement from the rights available for the full admin. Another option would be to put some server in between, with either a custom frontend to do device reclassification (and use the same API calls to ClearPass in the backend but put the credentials in the application running on the server); or a simpler script where you take the request as it would have been posted to the API, but then to your own script, check fields if there are no weird statements in, then insert server-side the credentials (still trimmed-down would have my preference) and forward to the actual API location on ClearPass. Both should be not to hard to achieve with for example php.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message