Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Profiling queries

  • 1.  Profiling queries

    Posted Mar 05, 2019 05:45 PM
    I have two question s:
    For one of our customers, we have proposed dhco profiling.

    1) can we see the port number of switch in DHCP profiling ? I know we can see device family vendor and os .but is there any way to see port number in any of there profiling . This will help to make an audit easy .


    2) I have two users both have identical HP laptops .one user is an internal domain user but has expired certificate and other user is an external user with no certificate

    The authentication order/ priority is dot1x and then mab and we are currently using open mode

    So dot1x will fail for both as internal user is having expired certificate and external user has no certificate and both will authnciate via mab. And DHCP profiling will show both as ho laptop users .

    Now the requirement is how to identity on basis on this who is internal user and who is external?

    The customer has large user base
    Is there any domain name attribute which profiling can do to segreagte a domain internal user from external .

    From.mab point of few both look same .but during audit analysis if we have to segrgate how do we achieve it .

    Here IT does not have a list of Mac address of laptops of internal users . Any other profiling method which can dig domain attribute of mab internal user ?


  • 2.  RE: Profiling queries

    Posted Mar 05, 2019 05:55 PM
    1. No
    2. Use machine certificates to identify managed assets. MAC Auth should only be used for headless/IoT devices and guests.


  • 3.  RE: Profiling queries

    Posted Mar 05, 2019 06:58 PM
    Hello Tim , you mean to say in addition to DHCP profiling where we are identifying both as laptop user , also do the machine certificates check and identity devices /endpoint s on basis of certificates ? Which profiling method covers this ? Also Mac authentication is being used for printers scanners and IP phones because of open mode but later we won't use mab for laptops


  • 4.  RE: Profiling queries

    Posted Mar 05, 2019 07:00 PM
    Profiling is to determine device type, not determine a user or machine's identity.


  • 5.  RE: Profiling queries

    Posted Mar 05, 2019 07:08 PM
    Yeah but I am trying to understand what you mean by saying that we have to identify in basis of machine certificates for managed assets .

    Once dot1x fails for both internal and external machines ,both will use mab . So which option will further check or helps in determining the machine certificates check ?


  • 6.  RE: Profiling queries

    Posted Mar 06, 2019 04:46 AM

    Hi Tim ,

     

    Waiting for your reply 



  • 7.  RE: Profiling queries

    Posted Mar 06, 2019 05:33 PM

    Like Tim explained , you can't use profiling to validating or check a certificate on a device particular device.

     

    To check or validate a certificate on a machine you need to configure OCSP or CRL , OCSP is more effective 

     

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ocsp/5792b4c4-c6ba-439a-9c2a-52867d12fb66



  • 8.  RE: Profiling queries

    Posted Mar 06, 2019 05:37 PM

    Hi Victor , i dont want o validate the certificate

     

    The requirement is see if a machine discovered as a Laptop by DHCP profiling - can we see domain attribute of machine - or any way to see FqDN of the machine 



  • 9.  RE: Profiling queries

    Posted Mar 06, 2019 05:40 PM
    No. This is not a valid workflow.


  • 10.  RE: Profiling queries

    Posted Mar 07, 2019 12:32 AM

    why do you need the FQDN? 

     

    To my understanding, you need to separate internal devices with an expired certificate from external devices, is this correct?

    If this is correct, the device was successfully authenticated before (before the certificate was expired). Would it be possible to use the endpoint database and insert a new attribute, e.g. internal (with just true and false as value) and each time a mac address is authenticated successfully with a certificate you set this attribute to true. 

    If the device comes back with an expired certificate you just check this attribute and if the attribute is true, you know it is an internal device. 

     

    just my 2 cents :) 

     

    My recommendation would be to protect the guest network with a captive portal and if an internal user enters his AD (I assume you use active directory) credentials he gets online to renew the expired certificate.