Security

 View Only
  • 1.  Clearpass endpoint profile conflicts

    Posted Aug 15, 2019 01:11 PM
      |   view attached

    I'm working on correcting and improving our 802.1x/MAB system and encountered a curious issue. In looking at the endpoint database and checking for conflicts I found a fair number of devices showing as having reported profile conflicts (about 7%)! Digging into them, it seems that at some point a number of devices were profiled with Device Category: SmartDevice, Device OS Family: Apple, Device Name: Apple iPhone. This either shows as their first profiling (and the correct profile information being the conflict), or some point later (with the Apple data showing as the conflict).

     

    The only thing that I can think of as being related is that it looks like many of these have connected to our guest network at some point, using Clearpass Guest for the captive portal and Mobility Access Controllers for the wifi. The DHCP, Mobility Controller, and Clearpass are the same as for the corporate access, and I'm not seeing any obvious red-flags at the moment. On a related note, is there a particular log that shows when a new conflict arrises? It would make it easier to try to track down specifically what's happening to cause a conflict.



  • 2.  RE: Clearpass endpoint profile conflicts

    Posted Aug 19, 2019 02:05 PM

    What version of ClearPass are you running?    If you are on 6.8.1; I suggest you install the 6.8.1 patch which includes fixes relating to profiling conflicts.



  • 3.  RE: Clearpass endpoint profile conflicts

    Posted Aug 19, 2019 02:08 PM

    It is indeed 6.8.1. I'll pull the update and schedule a time to push it to the cluster. I'll let you know if that resolves it, thank you!



  • 4.  RE: Clearpass endpoint profile conflicts

    Posted Aug 19, 2019 02:57 PM

    FWIW; This will not revert those conflicts; only fix an issue that may have caused them in the first place.    



  • 5.  RE: Clearpass endpoint profile conflicts

    Posted Aug 19, 2019 03:07 PM

    Appreciated. Fortunately, we're not in a full enforcement state yet, and I've been working on using profiling for initial inventory before we move to enforcement, so I should be able to just delete most of the conflicted devices and have the re-inventory. Thank you for that!