The controller will do fingerprinting as well (different name), but it's just less advanced. You can use IF-MAP to share those fingerprints with ClearPass, but I have not used that for years as the profiling from ClearPass gives me better results.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 04, 2023 05:21 AM
From: danW
Subject: Mac authentication & Profiling
@Herman Robers I´ve to say that I currently use the Controllers integrated DHCP-Server function only in my lab - on the productive network I´ve a dedicated Windows Server acting as DHCP, so I´m not able to try it in my lab first, but I´ll check it in the live system :)
For Device Profiling I´ll have to use the CPPM or does the Controller offer that eventuality also?
Original Message:
Sent: Mar 01, 2023 05:36 AM
From: Herman Robers
Subject: Mac authentication & Profiling
On many types of equipment, DHCP server and relay are mutually exclusive. If you have a central DHCP server you could point ip helpers to both ClearPass and the real DHCP server, if you don't you can see if there is another device in the subnet that can do the ip helper/dhcp relay to ClearPass.
It's not really recommended to use the controller's DHCP server unless you really can't otherwise. The features are limited and it's more used for those situations where you really can't do anything else. Same situation may apply on some switch scenarios, but in networks that are a bit larger than lab networks, I see in general the use of an external DHCP server to provide proper central control/logging/monitoring.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 27, 2023 01:51 PM
From: danW
Subject: Mac authentication & Profiling
The basic ClearPass profiling is based around profiling a device based on its DHCP packets (these packet are usually relayed to the ClearPass - as well as the DHCP server).
how does profiling work when for example the Mobility Controller acts as DHCP Server? I think that a local DHCP Scope on the Mobility Controller and DHCP-Relay/IP Helper are mutually exclusive?! so how can DHCP fingerprinting be done on Clearpass in that case?
Original Message:
Sent: Jul 20, 2021 05:02 AM
From: derinmellor
Subject: Mac authentication & Profiling
The basic ClearPass profiling is based around profiling a device based on its DHCP packets (these packet are usually relayed to the ClearPass - as well as the DHCP server). If the device has a static IP address then, clearly, ClearPass will not be able to profile this device.
ClearPass also has proactive profiling: SNMP, SSH (really only useful for Linux based devices), WMI and NMAP (can be very inaccurate - best to use in conjunction with one of the other profiling techniques, but very useful to distinguish servers with a specific job role - eg print servers).
SNMP is possibly the most useful and very accurate, but ClearPass does not have many SNMP fingerprint. This is OK as you can add your own fingerprint. Have a look at the attached document as it might give you some ideas...
------------------------------
Derin Mellor
Original Message:
Sent: Jul 19, 2021 04:53 AM
From: Emmanuel Egbewatt
Subject: Mac authentication & Profiling
Hello Experts,
I was wondering with the difference could be. I came accross an implementation on clearpass where all printers MAC are added via static-host entries and IAP via profiling. Whats really makes the difference? Printers could still have been added via profiling? I was told to get an IAP work, it needs to be connected to an untrusted (non enable clearspass) port for clearpass to profile it and later on enable the clearpass on the port before it will work. Can anyone please explain this to me? I am new to this Product.
Best regards
------------------------------
Emmanuel Egbewatt
------------------------------