last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Mac authentication & Profiling

This thread has been viewed 36 times
  • 1.  Mac authentication & Profiling

    Posted Jul 19, 2021 02:34 PM
    Hello Experts, 
    I was wondering with the difference could be. I came accross an implementation on clearpass where all printers MAC are added via static-host entries and IAP via profiling. Whats really makes the difference? Printers could still have been added via profiling?  I was told to get an IAP work, it needs to be connected to an untrusted (non enable clearspass) port for clearpass to profile it and later on enable the clearpass on the port before it will work. Can anyone please explain this to me? I am new to this Product. 

    Best regards

    Emmanuel Egbewatt

  • 2.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 02:31 AM
    Use of SHL vs profile for the printer may be as simple as not wanting all printers to be allow, but only certain printers. Profiling with SHL can add a little extra, but dhcp-client conf file can be easily edited to make the clients have the same dhcp fingerprint as a printer while you configure your hardware MAC address to spoof the printer. 

    End of the day it is still Mac auth so make sure you also use ACLs to tighten the access down. 

    As for IAP and authenticated ports...
    It depends on the switch and firmware. If we're talking about Aruba switches, it will need to support device port-mode. 

    Something like:
    aaa authorization user-role name "IAP-ROLE-NAME"
    vlan-id 999
    vlan-id-tagged 123,124
        poe-priority high 

  • 3.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 05:02 AM
      |   view attached
    The basic ClearPass profiling is based around profiling a device based on its DHCP packets (these packet are usually relayed to the ClearPass - as well as the DHCP server). If the device has a static IP address then, clearly, ClearPass will not be able to profile this device.
    ClearPass also has proactive profiling: SNMP, SSH (really only useful for Linux based devices), WMI and NMAP (can be very inaccurate - best to use in conjunction with one of the other profiling techniques, but very useful to distinguish servers with a specific job role - eg print servers).
    SNMP is possibly the most useful and very accurate, but ClearPass does not have many SNMP fingerprint. This is OK as you can add your own fingerprint. Have a look at the attached document as it might give you some ideas...

    Derin Mellor


  • 4.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 05:24 AM
    Thanks for the responds

  • 5.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 09:15 AM
    I don't like the use of Static Host Lists (SHL) and better use a attribute in the endpoint repository. This way keep all endpoints in one place. With SHL's static mac-addresses can be configured different SHL's in the same time what can cause policy issues and management challenges.

    When use the endpoint repository there is always a single place of mac adress registration and attributes can be used in the policy enforcements. Endpoint Attributes can also be automatic filled with post-authentications based on (DHCP) profiling.

    See also the ClearPass Wired Policy Solution Guides

    Also see the Aruba youtube channel "ABC networking" with a lot of examples.

    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

  • 6.  RE: Mac authentication & Profiling

    Posted Jul 22, 2021 04:20 AM
    Thanks Derin for the doc !

    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281

  • 7.  RE: Mac authentication & Profiling

    Posted Jul 21, 2021 05:19 AM
    You can for IAP do the same profiling as you do for your other devices, like place unknown devices in a role/VLAN that can be used to profile the device, and trigger a re-authentication after profiling.

    For Instant AP, if you don't want to authenticate your clients on the switch port (as they are supposed to be authenticated on the AP, or Access Control is done on the AP), you will need to return a RADIUS attribute to switch the port to 'port mode' which just authenticates the AP, and leaves all other clients through transparently. The attribute needed is:
    Radius:Hewlett-Packard-Enterprise HPE-Port-MA-Port-Mode = Port-Based (1)

    The Wired Enforcement Solution Guide would be your first starting point to get profiling working. I agree that the use of Static Host Lists is deprecated as they are not so flexible and hard to troubleshoot. Putting attributes in the Endpoint Repository works as good, or better.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.