Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

AD profiling

  • 1.  AD profiling

    Posted Mar 06, 2019 04:16 PM
    Hi , I have a customer requirement.
    DHCP fingerprinting is used which returns vendor , device category .os version etc.

    The requirement is to have a fqdn in the profiling to see whether it's a domain machine or external machine when both internal and external hit the mab rule .

    For valid internal user having machine certificates it will go for eap TLS

    But if cert expired or corrupted , and internal user hit mab , how profiling segrgate it from an external user who also hit mab rule

    The profiling method is DHCP.
    I checked on Cisco ise which also has option of AD fingerprinting to get domain attribute .just checking if possible in cppm



  • 2.  RE: AD profiling

    Posted Mar 06, 2019 04:39 PM
    Based on the number of related questions lately, I would highly recommend you work with a partner on your deployment.


  • 3.  RE: AD profiling

    Posted Mar 06, 2019 06:54 PM
    Hi Tim, we are in initial stage of discussion with customer.customer is more inclined to cppm than ise but has few requirement. We will work with partner definitely once we start poc . And having domain attribute or fqdn in access tracker or endpoint profiler is one requirement and we are thinking how we achieve this for mab authenticate s laptops (guests)


  • 4.  RE: AD profiling

    Posted Mar 07, 2019 03:24 AM

    One possible way to achieve this would be to update the endpoint in the endpoint database with an attribute that indicates AD membership. You could do that on a computer authentication, or if you control the TLS well enough on the TLS user authentication as well. When a MAC auth request comes in, you can return the service VLAN for those machines that have the attribute set, so they can sync from there to the AD/PKI, or even do a PXE boot to reimage the client.