Security

 View Only
  • 1.  Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 08:53 AM

    Hi,

     

    We are trying to use Clearpass Endpoint database with Insight to report on wired devices as they connect to the network.

     

    We have configured the SVI on the switch (ip helper) to forward the DHCP discover packet to Clearpass. We see devices successfully added to the Endpoint database with the respective host, NAD IP and NAD Port.

     

    What we would like to do, on a daily basis, is report on devices connected to the respective NAD IP/NAD Port based on the DHCP discover packet sent to Clearpass. Some devices will always remain on the same switchport, whilst others may have initally been added to the Endpoint database on one switchport only for this to change the next day.

     

    The issue I am experiencing is that when I try to run a report in Insight based on 'Endpoint Overview', I do not see the device in the report beyond the date it was initially added to the Endpoint database. I'm not sure if this is by design as I can't find any documentation to support this?

     

    To be clear, what I was hoping to see and do is the below, is this even possible?

     

    - Device is connected to the network via a wired port

    - DHCP discover is forwarded to Clearpass and Clearpass profiles the device using a DHCP fingerprint or NMAP

    - Device is added to Endpoint database

    - For each day I would like to run a report from Insight to show the devices connected to each NAD IP (based on a filter on the report in Insight)

    - For existing devices the port may remain the same or may be updated if the device appears elsewhere in the network

     

    Currently, I can only report on a device based on the date is was first added to the Endpoint database.

     

    Hope this makes sense?



  • 2.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 09:09 AM
    Are you actually doing any authentication/authorization? DHCP packets do not contain switch/port information.


  • 3.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 09:22 AM
      |   view attached

    Hi Tim,

     

    No, no auth or authorisation. 

     

    Appreciate that there is no switchport information contained in the DHCP packets. I believe this is associated with the endpoint through network discovery as we see this in the record for the endpoint (see attached).

     

    I'd like to report on the devices as they are added or updated on a daily basis if possible.



  • 4.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 10:56 AM

    The information is available in the CSV data dump attached to the report.

     

    Be sure to add the NAD IP and port columns.



  • 5.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 11:03 AM

    Hi Tim,

     

    I've been able to do that. The issue I am currently seeing is this.

     

    - Let's say the device was added as an Endpoint yesterday (19/06)

    - I have a report configured that is using a filter for the NAD IP that the device is associated with

    - The device has been connected again to the network today (20/06)

     

    If I run the same report with a date of the 20/06 the device does not show up. If I alter the date range too include 19/06 the device does show up in the report. It's almost as if the device will only show in the report for the date it was added to CPPM, not when it was last updated. 



  • 6.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 11:04 AM
    If nothing has changed, the endpoint won’t be updated in Insight.

    Has anything changed with the endpoint?


  • 7.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 11:15 AM

    No, nothing would change unless the device connected to a different switchport.

     

    I think you have answered my question in that the device would not show up in any future report unless an attribute of the device changed e.g. there was an IP address change (unlikely given the configuration of the DHCP scope lease time) or a change in switchport association.

     

    I was hoping that because Clearpass saw the DHCP packet each day, that the Endpoint would show up as connected. I guess we are trying to use Clearpass for something it was not designed for, which is a daily view of devices connected to the switches (NADs).



  • 8.  RE: Clearpass Endpoint/Insight query

    Posted Jun 20, 2017 11:31 AM

    Connected is based on RADIUS accounting.

    Why not just enable basic MAC Authentication your switches with allow all? There would be no impact to end users.



  • 9.  RE: Clearpass Endpoint/Insight query

    Posted Jun 21, 2017 03:33 AM

    Thanks Tim, it is good to understand that for the Endpoint to be updated it requires a change. I'll look into your suggestion regarding the Mac authentication. We are an organisation with 1000's of switches so will take the time to explore the options we have regarding this. Thanks for your feedback.