Security

 View Only
last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Collect fingerprinting on vlan that don't have DHCP relay

This thread has been viewed 29 times
  • 1.  Collect fingerprinting on vlan that don't have DHCP relay

    Posted Sep 03, 2024 05:12 AM

    Hi all.

    I have deployed Clearpass in the network.

    I want to collect fingerprinting but not all VLANs have a relay on the gateway.

    Some of them get DHCP from the gateway (Fortigate).

    What is the best solution for getting those fingerprints in my case?



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------


  • 2.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    EMPLOYEE
    Posted Sep 03, 2024 05:39 AM

    you can have more than one DHCP relay for each VLANs, ClearPass just needs to see the DHCP request and it will not respond to it.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    Posted Sep 03, 2024 06:29 AM

    Hi,
    Thank you for your response.

    Yes, I know I can put more than 1 relay.
    My problem is the VLANs where the FortiGate is operating as the DHCP server. meaning it doesn't have a relay configured at all.

    As far as I know, You can't configure a VLAN on the FortiGate to get DHCP from the Fortifate and configure a relay on the same VLAN.



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 4.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    EMPLOYEE
    Posted Sep 03, 2024 03:29 PM

    That requires support from the device to not only provide DHCP but also relay the DHCP on to ClearPass.  Some Aruba devices have this capability, no idea on other vendors.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    Posted Sep 04, 2024 07:22 AM

    You can set up an additional DHCP relay for DHCP fingerprinting on any switch in this VLAN (assuming the switch supports this feature).
    Then the clients get their IPs from the Fortigate, the switch relays the DHCP requests to ClearPass and then you have the fingerprints.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    Posted Sep 05, 2024 04:31 AM

    Good idea.

    I was thinking about it but wondering if it's not causing me any security risks.



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 7.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    Posted Sep 04, 2024 09:39 PM

    On FortiOS 7.0 and newer, you can run a DHCP server and relay on the same VLAN.  This is a little tricky as you lose GUI support on the FortiGate interface but works well.  I've implemented this myself in a network with over 30 sites and the FGTs supporting DHCP across 8 VLANs at each site.

    Here is the reference.

    DHCP server | FortiGate / FortiOS 7.0.5 | Fortinet Document Library




  • 8.  RE: Collect fingerprinting on vlan that don't have DHCP relay

    Posted Sep 05, 2024 04:45 AM

    WOW !!! Thank you so much.

    If It works for me you will solve a lot of problems in the future as well :)

    I am going to try it out.



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------