Security

 View Only
  • 1.  Clearpass endpoint NAC hostname ....?

    Posted Apr 21, 2024 11:39 AM

    Hello,

    we now working on organize the PC name and printer name in our the network, we create NAC policy in Clearpass to only give Vlan if the name is correct it work fine.

    My problem is the endpoint hostname don't change immediately if they fix the name or change it, so the endpoint take the correct Vlan, 

    we need to delete from the Clearpass or scan them to work is there a anyway to update them immediately  Automatically ??

    Thank you



  • 2.  RE: Clearpass endpoint NAC hostname ....?

    Posted Apr 24, 2024 01:01 PM

    It depends where you get the hostname from. If it is from DHCP, the client may need to do a new DHCP and a CoA port-bounce (wired) can assist with that from the ClearPass side. Un/replug the cable (for a printer) twice may mork as well. If you get the hostname from a different source, that may be different.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass endpoint NAC hostname ....?

    Posted Apr 25, 2024 02:12 AM

    Hello Herman,

    About the hostname, I mean when changing locally in the device PC or Printer when will be updated in the clearpass ?? 

    Thank you




  • 4.  RE: Clearpass endpoint NAC hostname ....?

    Posted Apr 25, 2024 02:47 AM

    Hi

    It depends on what attribute you are comparing when you evaluate the hostname of the host.

    If it's the username sent during the autentication you should get the correct value. At least as long as the computer has an updated certificate with the new hostname. The forst line in the example above.

    On the other hand, if you have a check in the Endpoints repository for the saved hostname, second rule in the picture above, it will still be the old information during the first authentication. Thats because the information in Endpoints repository is updated during the authentication and also by default have a 300 seconds cache.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass endpoint NAC hostname ....?

    Posted Apr 25, 2024 03:27 AM

    Hello jonas.hammarback,

    So every time during the authentication the hostname will be updated correct ??, I checked in the Endpoints repository the Cache Timeout: is 0 is this by default ???  we don't change it

    Thank you 




  • 6.  RE: Clearpass endpoint NAC hostname ....?

    Posted Apr 25, 2024 05:00 AM

    Are you doing (only) MAC Authentication on your network?

    Are you using the hostname from the Endpoints Repository? That is either Endpoint:Hostname, or Authorization:[Endpoints Repository]:Hostname

    That information is NOT changed during authentication. If you did not do anything special, that hostname is learned from DHCP through DHCP relay/ip-helper to your ClearPass. The DHCP happens after the authentication and requires some form of network access (so you can't reject access), and you can force/trigger a DHCP by bouncing the switch port (on wired networks); but just be aware that if the hostname on a device is changed, in the first re-authentication/port-bounce there has not been a new DHCP, so it's expected that you see the old name; then the DHCP may update the hostname and then you may need an additional re-authentication. Please work with your Aruba partner or TAC, as it may be hard to understand what's going on without a full overview of your network and setup. It's just guessing for me what you may be doing.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Clearpass endpoint NAC hostname ....?

    Posted Apr 28, 2024 01:27 AM

    Hello Herman,

    We will test the hostname when will is changed in cppm.

    about your question 

    are you doing (only) MAC Authentication on your network? 

    No, both MAC Authentication and 

    Are you using the hostname from the Endpoints Repository?

    yes for some devices like printers and active directories for PC

    The authentication works Like this:

    • The first time PC connects check the hostname: 
      • if not correct don't give any IP.
      • if correct go to untrust Vlan to join the PC to the domain, after that bounce to the correct Vlan.
    • The first time for any other device  not PC:
      • go to untrust Vlan, after that bounce to the correct Vlan.

    Thank you




  • 8.  RE: Clearpass endpoint NAC hostname ....?
    Best Answer

    Posted May 02, 2024 08:13 AM

    The first time a device connects, you don't have information like the device type (PC or not) or the hostname. Also if you block all access, ClearPass will not be updated with profiling information like device type and hostname. So make sure that you never deny all access, but allow enough to get updated profiling information in, or a device will be stuck in a blocked situation forever.

    It may be good to go through the process and all conditions together with your Aruba partner or TAC.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: Clearpass endpoint NAC hostname ....?

    Posted May 07, 2024 09:00 AM

    Hello,

    sorry for the late replay, yes like you say I need to allow enough to get updated profiling information in, the idea was we didn't want to add the PC to the ad domain only if has the correct name, because there are multiple PCs with different name but they same PC.

    Thank you