Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Endpoint Profiler

This thread has been viewed 49 times

  • 1.  Clearpass Endpoint Profiler

    Posted Jan 19, 2023 09:00 PM
    Hello, I have set up a policy to deny all laptops wireless access through the rule below.


    However, I found that a few laptops allowed wireless connection, and the devices were not getting information through Endpoint Profiler.

    When I looked at the endpoint profiler of devices that were connected wirelessly, I was unable to receive information.

    Is it a problem with the Clearpass setting that Clearpass cannot receive endpoint information?
    Or is it an endpoint configuration problem?

    If anyone knows, please leave a comment


  • 2.  RE: Clearpass Endpoint Profiler

    EMPLOYEE
    Posted Jan 20, 2023 01:21 AM
    at minimum, clearpass show see the DHCP request of devices and for that you can use ip-helper commands on the default gateway to also send the DHCP request to IP address of Clearpass. ClearPass will not respond to it but i needs t see the request.

    is that configured on the default gateway/switch for various VLANs?

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Clearpass Endpoint Profiler

    Posted Jan 20, 2023 10:42 AM
    What is your wireless NAD? Do you have RADIUS device profiling or IF-MAP enabled?
    Original Message


  • 4.  RE: Clearpass Endpoint Profiler

    Posted Jan 26, 2023 02:56 AM 
    It is not possible to profile all endpoints.

    Most of the endpoint information is retrieved, but the information of a few specific devices cannot be retrieved.

    Looking at the Access Tracker, I found the following information:

    Failed to get value for attributes=[Category, Device Name, OS Family]

    Is the problem solvable with the solution you replied to?

    I'm new to the network and Aruba so I don't fully understand your replies. Sorry

    Original Message


  • 5.  RE: Clearpass Endpoint Profiler

    Posted Jan 26, 2023 07:45 AM
    Are these clients DHCP or static?  What method(s) are you using to get the profiling data into ClearPass?
    Original Message


  • 6.  RE: Clearpass Endpoint Profiler

    EMPLOYEE
    Posted Jan 26, 2023 12:06 PM
    The message: 
    Failed to get value for attributes=[Category, Device Name, OS Family]
    means that you authenticate a client which has not been profiled. This video may help you to setup the ip-helpers/DHCP relay for profiling.

    If you are new to Aruba, I would recommend to work with your Aruba partner. Setting up a good ClearPass deployment is not something that you can easily do without training and there are multiple 5 day trainings out there to get you up to speed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: Clearpass Endpoint Profiler

    Posted Jan 29, 2023 07:44 PM
    I fixed the problem by sending DHCP to Clearpass through the Controller's IP-helper function.

    If so, how can we find out how the Endpoint Profiles collected before configuring the IP-helper were collected?
    Original Message


  • 8.  RE: Clearpass Endpoint Profiler

    EMPLOYEE
    Posted Jan 31, 2023 08:53 AM
    Not sure about your question.

    DHCP profiles are added to the endpoint, an may change the device category/name/type once they come in. There is no real 'before', except that at that point there probably was no profiling information.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message