Original Message:
Sent: May 02, 2024 08:13 AM
From: Herman Robers
Subject: Clearpass endpoint NAC hostname ....?
The first time a device connects, you don't have information like the device type (PC or not) or the hostname. Also if you block all access, ClearPass will not be updated with profiling information like device type and hostname. So make sure that you never deny all access, but allow enough to get updated profiling information in, or a device will be stuck in a blocked situation forever.
It may be good to go through the process and all conditions together with your Aruba partner or TAC.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 28, 2024 01:26 AM
From: MohammadH
Subject: Clearpass endpoint NAC hostname ....?
Hello Herman,
We will test the hostname when will is changed in cppm.
about your question
are you doing (only) MAC Authentication on your network?
No, both MAC Authentication and
Are you using the hostname from the Endpoints Repository?
yes for some devices like printers and active directories for PC
The authentication works Like this:
- The first time PC connects check the hostname:
- if not correct don't give any IP.
- if correct go to untrust Vlan to join the PC to the domain, after that bounce to the correct Vlan.
- The first time for any other device not PC:
- go to untrust Vlan, after that bounce to the correct Vlan.
Thank you
Original Message:
Sent: Apr 25, 2024 05:00 AM
From: Herman Robers
Subject: Clearpass endpoint NAC hostname ....?
Are you doing (only) MAC Authentication on your network?
Are you using the hostname from the Endpoints Repository? That is either Endpoint:Hostname, or Authorization:[Endpoints Repository]:Hostname
That information is NOT changed during authentication. If you did not do anything special, that hostname is learned from DHCP through DHCP relay/ip-helper to your ClearPass. The DHCP happens after the authentication and requires some form of network access (so you can't reject access), and you can force/trigger a DHCP by bouncing the switch port (on wired networks); but just be aware that if the hostname on a device is changed, in the first re-authentication/port-bounce there has not been a new DHCP, so it's expected that you see the old name; then the DHCP may update the hostname and then you may need an additional re-authentication. Please work with your Aruba partner or TAC, as it may be hard to understand what's going on without a full overview of your network and setup. It's just guessing for me what you may be doing.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 25, 2024 03:26 AM
From: MohammadH
Subject: Clearpass endpoint NAC hostname ....?
Hello jonas.hammarback,
So every time during the authentication the hostname will be updated correct ??, I checked in the Endpoints repository the Cache Timeout: is 0 is this by default ??? we don't change it
Thank you
Original Message:
Sent: Apr 25, 2024 02:46 AM
From: jonas.hammarback
Subject: Clearpass endpoint NAC hostname ....?
Hi
It depends on what attribute you are comparing when you evaluate the hostname of the host.
If it's the username sent during the autentication you should get the correct value. At least as long as the computer has an updated certificate with the new hostname. The forst line in the example above.
On the other hand, if you have a check in the Endpoints repository for the saved hostname, second rule in the picture above, it will still be the old information during the first authentication. Thats because the information in Endpoints repository is updated during the authentication and also by default have a 300 seconds cache.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Apr 25, 2024 02:12 AM
From: MohammadH
Subject: Clearpass endpoint NAC hostname ....?
Hello Herman,
About the hostname, I mean when changing locally in the device PC or Printer when will be updated in the clearpass ??
Thank you
Original Message:
Sent: Apr 24, 2024 01:00 PM
From: Herman Robers
Subject: Clearpass endpoint NAC hostname ....?
It depends where you get the hostname from. If it is from DHCP, the client may need to do a new DHCP and a CoA port-bounce (wired) can assist with that from the ClearPass side. Un/replug the cable (for a printer) twice may mork as well. If you get the hostname from a different source, that may be different.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 21, 2024 11:39 AM
From: MohammadH
Subject: Clearpass endpoint NAC hostname ....?
Hello,
we now working on organize the PC name and printer name in our the network, we create NAC policy in Clearpass to only give Vlan if the name is correct it work fine.
My problem is the endpoint hostname don't change immediately if they fix the name or change it, so the endpoint take the correct Vlan,
we need to delete from the Clearpass or scan them to work is there a anyway to update them immediately Automatically ??
Thank you