Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Device with Apple fingerprints but no host mac vendor info

Jump to Best Answer
  • 1.  Device with Apple fingerprints but no host mac vendor info

    Posted 15 days ago
      |   view attached
    Hi all

    I am seeing this particular behavior. A device was denied network access because it wasn't profiled correctly. When I checked the endpoint attributes, it has the fingerprints of an Apple iPhone  but no Host MAC Vendor details. I did a check of the device MAC and it doesn't appear to belong to Apple. 

    I have attached a comparison of a device profiled correctly as an Apple iPhone. It's DHCP Option 55 and Options matches exactly the same as the one that isn't profiled correctly. 

    Is this something to do with Apple MAC randomization feature? If yes, is there anything that can be done on CPPM or is it a matter of asking the user to disable that feature?

    Thanks.

    ------------------------------
    Simon Lim
    ------------------------------

    Attachment(s)



  • 2.  RE: Device with Apple fingerprints but no host mac vendor info

    Posted 15 days ago
    Looks like your device is doing MAC Address Randomization, which results in the MAC address used not being assigned to Apple. That feature is by default enabled in IOS and iPadOS 14, Android 10. This in fact shows the power of profiling, that it even detects the device without a registered MAC Address.

    Check this Technical Paper on MAC Address Randomization that was recently posted.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 3.  RE: Device with Apple fingerprints but no host mac vendor info

    Posted 12 days ago
    Hi Herman

    Thanks for the reply. I have checked a few of those devices and the 2nd character of their MAC addresses is one of 2, 6,  A or E. As CPPM is unable to profile them correctly without the MAC host vendor being correct, I suppose I have to create separate condition to assign role based on fingerprints? Or are there other methods? The customer is using AP-515 with VC. 

    Thanks.

    ------------------------------
    Simon Lim
    ------------------------------



  • 4.  RE: Device with Apple fingerprints but no host mac vendor info
    Best Answer

    Posted 12 days ago
    Assigning the roles based on fingerprints is in most cases recommended over MAC prefix or vendor name, with MAC randomization even more as the MAC can no longer be used for profiling. In ClearPass the MAC in most cases is not used in profiling. In recent versions, some fingerprints have been added that do check the MAC range, like for Amazon Kindle (eBook) and Amazon Echo (Voice Assistant) the fingerprint is exactly the same. With a randomized MAC for those devices, there is just no way to know which of the two it is, and the device will be classified as one of those.

    ClearPass Device Insight can add traffic information on top of the existing profiling methods like DHCP, SNMP, etc, so then you can more reliably profile devices relying even less on the MAC address.

    Here is a video on how to configure ClearPass role using the ClearPass Profiling data. It is for wired, but it is applicable similar to wireless.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 5.  RE: Device with Apple fingerprints but no host mac vendor info

    Posted 11 days ago
    Thanks for the advise, Herman.

    ------------------------------
    Simon Lim
    ------------------------------