Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Endpoint Repository question

This thread has been viewed 25 times
  • 1.  Endpoint Repository question

    Posted Aug 22, 2023 05:35 AM

    Hi experts,

    I have a question about the Endpoint Repository database. In my CPPM I have this type of condition for my printers:

    Afaik, for the printer to be authenticated, it shoud be in the Endpoints Repository, but the documentation says "ClearPass Policy Manager automatically lists all the endpoints that are authenticated in the Configuration > Identity > Endpoints page". Then, CPPM adds the printer to the Endpoints Repository if it is authenticated, but for the printer to be authenticated it should be in the Endpoints Repository (Authorization:Sources EQUALS [Endpoints Repository]). What is first? Am I missing something?



    ------------------------------
    Regards,
    Julian
    ------------------------------


  • 2.  RE: Endpoint Repository question
    Best Answer

    EMPLOYEE
    Posted Aug 22, 2023 09:02 AM

    The trick would be to place unknown devices in a network segment where they can be profiled, and after that be placed in the final role.

    Think this video or the videos #4 or #5 after that show that concept.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Endpoint Repository question

    Posted Aug 28, 2023 06:10 AM

    Hi Herman,

    What wonderful videos! Much clearer after seeing those videos. Then, I see the documentation is not completely correct since CPPM list all the devices it sees in the endpoints database, and not only the devices that have been authenticated. For example, in the first video the Instant AP doesn't do any authentication, and it is listed in the endpoints database.

    One doubt, my printers and VoIP phones has static IP addresses and doesn't do DHCP requests. Then how can I get them profiled? Only with their MAC? Thanks in advance.



    ------------------------------
    Regards,
    Julian
    ------------------------------



  • 4.  RE: Endpoint Repository question

    EMPLOYEE
    Posted Sep 04, 2023 05:20 AM

    You may have results by querying the LLDP/CDP tables from your switches, or running SNMP scans on the devices, but if the device has static IP it's somewhat harder to get quick and accurate profiling. If you know the MAC addresses, you can add them to the Endpoint database with an attribute, or profile based on the MAC-prefix. If possible, I would move to DHCP (and use reservations if the clients need a fixed IP).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------