Security

 View Only
last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - Configuration for device visibility

This thread has been viewed 11 times
  • 1.  ClearPass - Configuration for device visibility

    Posted Aug 23, 2024 08:20 AM

    Hi community,

    I want to configure a service in ClearPass to have visibility all the devices my customer has. I don't want to authenticate them right now, only just seeing what he has, and then, I will create other service for block unauthorized devices. Because many of them are printers, phones, etc. and don't authenticate, I don't know what to put for Authentication Methods, Authentication Sources and Authorization Source, since they are mandatory fields. I have just tested with Authentication Source = [Local User Repository] and Authorization Source = [Endpoints Repository]. With this, ClearPass rejects and show this:

    Any idea?



    ------------------------------
    Regards,
    Julian
    ------------------------------


  • 2.  RE: ClearPass - Configuration for device visibility
    Best Answer

    Posted Aug 23, 2024 08:40 AM

    Hi Julian

    To just get an inventory of the equipment you can configure IP Helper on all client VLAN's instead. This way you will get all the devices profiled in the Endpoints Repository. In this case you don't need to configure authentication on switches.

    If you have MAC authentication enabled in the network infrastructure you can create a MAC authentication service with the authentication method [Allow All MAC AUTH] and just accept all devices. Put Endpoints repository as authentication source.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass - Configuration for device visibility

    Posted Aug 23, 2024 09:55 AM

    In addition to the suggestion to start with passive profiling (DHCP, etc) first, I would in such a case enable MAC authentication, then create a service with [Allow All MAC], and Endpoint Repository as the authentication source.

    For getting the most out if visibility, your Aruba partner can get a guide on Arubapedia for Partners (Search for: ClearPass Visibility), which is fully focused on visibility without authentication.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------