Security

Hello guys 
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following 
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem 

2-Any ideas on how to work with this?

Not fully sure what you try to do. You mention guest and register devices, but also endpoint database.

Device registration will use the [Guest Device Repository], not the Endpoint database (for the device limitation).
What you describe looks more like Guest Captive Portal and MAC Caching, where you store the username in the endpoint and check that there are no more than 2 of those. What is more common is the use of the Session Limit Post Authentication enforcement, that will disconnect sessions that are above the number you configured (2).

If you still want to use the endpoint repository, the item you highlighted has moved into multiple new cleanup intervals:
So it's more flexible. The time in days in 6.10+ is the inactivity time of a client.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 17, 2022 11:02 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello guys
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem

2-Any ideas on how to work with this?

Hello Harman thanks for taking your time in asnwering my message

Yes,  we are talking about captive portal with mac caching

Right now i remenber they are limiting for each account they just can register 2 devices, the rule is something like this

Also i remenber that i checked in the configuration they had configured 2 hours  for the account, the default value was changed from 24 hours to 2 hours.   I guess they wanted that the user could go register with the email and could stay in the store for to hours, and if they go come back another day they had to register again, or if they go to another store in another area in the city they had to register again.

I do remenber in the troubleshooting i was doing, they had a few devices that had the issue  that could not connect and they were in a loop of registration,  i saw the email they were using was on the limit of devices at least on the endpoint database they already had 2, so what i did was to delete one and that fixed the problem for all of them.  
So i thogh that the problem here was the endpoint repository.   
The problem here is that if they come with a new device or the mac address change then it would count as a device number 3 and it wont let that device get in the network, unless he use a new email.

I got you  one question 
You said "So it's more flexible. The time in days in 6.10+ is the inactivity time of a client"

I was trying to look for that option because is the one i was looking to fix this but its not available, in your screenshot i dont see it, but in mine which is of the version 6.6 its available:


Here is your screenshoot where i cant find that option, and i cant find it as well on the client  cleanup options.
If you see in mine, i have the same options but i got one more option which is the one i wanted to use the "maximun inactive time for endpoints

Another way to fix iit it i guess is by enabling the database cleanup with the options i have available, but that would clean up all the devices.
If i turn that on for example to 7 days, at what time of the day if does this cleanup? how does this impact the clearpass if it has over 300 000 endpoints to delete?
If i turn on the cleanup for the expired guest account it just delete the expired guest accounts on the clearpass guest but it does not delete them from the endpoint repository  the endpoints associated with that account right?



Original Message:
Sent: Dec 20, 2022 06:06 AM
From: Herman Robers
Subject: Managing Endpoint database

Not fully sure what you try to do. You mention guest and register devices, but also endpoint database.

Device registration will use the [Guest Device Repository], not the Endpoint database (for the device limitation).
What you describe looks more like Guest Captive Portal and MAC Caching, where you store the username in the endpoint and check that there are no more than 2 of those. What is more common is the use of the Session Limit Post Authentication enforcement, that will disconnect sessions that are above the number you configured (2).

If you still want to use the endpoint repository, the item you highlighted has moved into multiple new cleanup intervals:
So it's more flexible. The time in days in 6.10+ is the inactivity time of a client.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 17, 2022 11:02 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello guys
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem

2-Any ideas on how to work with this?

The change in cleanup schedule is that before 6.10, the 'create' timestamp was used for the cleanup, which is not what people would expect. Starting 6.10 the 'last seen' is used, more logical. But you are right that with the cleanup you cleanup everything, except if you use the known/unknown flag to more selectively cleanup. Another option would be to use the API and cleanup to a fully custom schedule.

Thinking once more, the MAC Randomization in modern devices basically breaks your rule that only 2 unique devices can be used as the MAC cannot be used to determine if it is a unique device. There may be several solutions to this, like dropping the requirement of max 2 unique devices, switch to a requirement of 2 concurrent devices, ignore devices that have randomized MAC addresses (you could determine that with a Regex or use the random MAC detection in ClearPass 6.11), or include a timestamp in the endpoint database and customize your query that only includes MAC addresses belonging to a user that have been added in the last 2 hours for the check on unique devices. I'm not sure what is the idea behind these unique devices and offering only 2 hours of access, it sounds a bit too strict, but from a part of the world where internet bandwidth is unmetered and there is no real cost difference in how much connections/data is used, it may be easy talking.

In case you have trouble how to configure one of the options, your Aruba partner, or Aruba support may be able to assist as my experience is that you would need to configure - test - adapt in order to get this fine-tuned and optimized. Or you may need to try a few options to find out what works best.

If you still run ClearPass 6.6, be aware that this has been end-of-life/end-of-support for quite some time and there are known security vulnerabilities that are fixed in the still supported 6.9/6.10/6.11 version. I would recommend to upgrade or at least not expose a ClearPass 6.6 to the public.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 20, 2022 10:45 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello Harman thanks for taking your time in asnwering my message

Yes,  we are talking about captive portal with mac caching

Right now i remenber they are limiting for each account they just can register 2 devices, the rule is something like this

Also i remenber that i checked in the configuration they had configured 2 hours  for the account, the default value was changed from 24 hours to 2 hours.   I guess they wanted that the user could go register with the email and could stay in the store for to hours, and if they go come back another day they had to register again, or if they go to another store in another area in the city they had to register again.

I do remenber in the troubleshooting i was doing, they had a few devices that had the issue  that could not connect and they were in a loop of registration,  i saw the email they were using was on the limit of devices at least on the endpoint database they already had 2, so what i did was to delete one and that fixed the problem for all of them.
So i thogh that the problem here was the endpoint repository.
The problem here is that if they come with a new device or the mac address change then it would count as a device number 3 and it wont let that device get in the network, unless he use a new email.

I got you  one question
You said "So it's more flexible. The time in days in 6.10+ is the inactivity time of a client"

I was trying to look for that option because is the one i was looking to fix this but its not available, in your screenshot i dont see it, but in mine which is of the version 6.6 its available:


Here is your screenshoot where i cant find that option, and i cant find it as well on the client  cleanup options.
If you see in mine, i have the same options but i got one more option which is the one i wanted to use the "maximun inactive time for endpoints

Another way to fix iit it i guess is by enabling the database cleanup with the options i have available, but that would clean up all the devices.
If i turn that on for example to 7 days, at what time of the day if does this cleanup? how does this impact the clearpass if it has over 300 000 endpoints to delete?
If i turn on the cleanup for the expired guest account it just delete the expired guest accounts on the clearpass guest but it does not delete them from the endpoint repository  the endpoints associated with that account right?



Original Message:
Sent: Dec 20, 2022 06:06 AM
From: Herman Robers
Subject: Managing Endpoint database

Not fully sure what you try to do. You mention guest and register devices, but also endpoint database.

Device registration will use the [Guest Device Repository], not the Endpoint database (for the device limitation).
What you describe looks more like Guest Captive Portal and MAC Caching, where you store the username in the endpoint and check that there are no more than 2 of those. What is more common is the use of the Session Limit Post Authentication enforcement, that will disconnect sessions that are above the number you configured (2).

If you still want to use the endpoint repository, the item you highlighted has moved into multiple new cleanup intervals:
So it's more flexible. The time in days in 6.10+ is the inactivity time of a client.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 17, 2022 11:02 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello guys
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem

2-Any ideas on how to work with this?

Hello Herman thanks for your reply!
I see good options there, i was not aware of the mac ramdomizator detector on 6.11, i can talk with the client to see if we upgrade it to solve the mac randomizator problem.

Regarding the cleanup of the clearpass itself, do you think having over 300 000 endpoints in the endpoints repository its an issue or it will be an issue reaching at a specific number?

If the client would like to run a cleanup every x days at what time does the clearpass does this clean up?  what is the impact on the clearpass if i set it each 7 days and in day 7th it needs to delete all those 300 000 entries?
Original Message:
Sent: Dec 21, 2022 04:57 AM
From: Herman Robers
Subject: Managing Endpoint database

The change in cleanup schedule is that before 6.10, the 'create' timestamp was used for the cleanup, which is not what people would expect. Starting 6.10 the 'last seen' is used, more logical. But you are right that with the cleanup you cleanup everything, except if you use the known/unknown flag to more selectively cleanup. Another option would be to use the API and cleanup to a fully custom schedule.

Thinking once more, the MAC Randomization in modern devices basically breaks your rule that only 2 unique devices can be used as the MAC cannot be used to determine if it is a unique device. There may be several solutions to this, like dropping the requirement of max 2 unique devices, switch to a requirement of 2 concurrent devices, ignore devices that have randomized MAC addresses (you could determine that with a Regex or use the random MAC detection in ClearPass 6.11), or include a timestamp in the endpoint database and customize your query that only includes MAC addresses belonging to a user that have been added in the last 2 hours for the check on unique devices. I'm not sure what is the idea behind these unique devices and offering only 2 hours of access, it sounds a bit too strict, but from a part of the world where internet bandwidth is unmetered and there is no real cost difference in how much connections/data is used, it may be easy talking.

In case you have trouble how to configure one of the options, your Aruba partner, or Aruba support may be able to assist as my experience is that you would need to configure - test - adapt in order to get this fine-tuned and optimized. Or you may need to try a few options to find out what works best.

If you still run ClearPass 6.6, be aware that this has been end-of-life/end-of-support for quite some time and there are known security vulnerabilities that are fixed in the still supported 6.9/6.10/6.11 version. I would recommend to upgrade or at least not expose a ClearPass 6.6 to the public.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 20, 2022 10:45 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello Harman thanks for taking your time in asnwering my message

Yes,  we are talking about captive portal with mac caching

Right now i remenber they are limiting for each account they just can register 2 devices, the rule is something like this

Also i remenber that i checked in the configuration they had configured 2 hours  for the account, the default value was changed from 24 hours to 2 hours.   I guess they wanted that the user could go register with the email and could stay in the store for to hours, and if they go come back another day they had to register again, or if they go to another store in another area in the city they had to register again.

I do remenber in the troubleshooting i was doing, they had a few devices that had the issue  that could not connect and they were in a loop of registration,  i saw the email they were using was on the limit of devices at least on the endpoint database they already had 2, so what i did was to delete one and that fixed the problem for all of them.
So i thogh that the problem here was the endpoint repository.
The problem here is that if they come with a new device or the mac address change then it would count as a device number 3 and it wont let that device get in the network, unless he use a new email.

I got you  one question
You said "So it's more flexible. The time in days in 6.10+ is the inactivity time of a client"

I was trying to look for that option because is the one i was looking to fix this but its not available, in your screenshot i dont see it, but in mine which is of the version 6.6 its available:


Here is your screenshoot where i cant find that option, and i cant find it as well on the client  cleanup options.
If you see in mine, i have the same options but i got one more option which is the one i wanted to use the "maximun inactive time for endpoints

Another way to fix iit it i guess is by enabling the database cleanup with the options i have available, but that would clean up all the devices.
If i turn that on for example to 7 days, at what time of the day if does this cleanup? how does this impact the clearpass if it has over 300 000 endpoints to delete?
If i turn on the cleanup for the expired guest account it just delete the expired guest accounts on the clearpass guest but it does not delete them from the endpoint repository  the endpoints associated with that account right?



Original Message:
Sent: Dec 20, 2022 06:06 AM
From: Herman Robers
Subject: Managing Endpoint database

Not fully sure what you try to do. You mention guest and register devices, but also endpoint database.

Device registration will use the [Guest Device Repository], not the Endpoint database (for the device limitation).
What you describe looks more like Guest Captive Portal and MAC Caching, where you store the username in the endpoint and check that there are no more than 2 of those. What is more common is the use of the Session Limit Post Authentication enforcement, that will disconnect sessions that are above the number you configured (2).

If you still want to use the endpoint repository, the item you highlighted has moved into multiple new cleanup intervals:
So it's more flexible. The time in days in 6.10+ is the inactivity time of a client.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 17, 2022 11:02 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello guys
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem

2-Any ideas on how to work with this?

I don't think 300k endpoints in the database is an issue, maybe if you clean out 280k the first time after you enabled the cleanup options, but these numbers just sitting in a database should not really put a big hit on the system.

The cleanup seems to run on 2:45 (AM) in the local timezone of the ClearPass publisher. You can check in the Event Viewer, because the Auto Cleanup is recorded there:
Because it is running in the night, the practical impact should be relatively small.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 21, 2022 09:52 AM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello Herman thanks for your reply!
I see good options there, i was not aware of the mac ramdomizator detector on 6.11, i can talk with the client to see if we upgrade it to solve the mac randomizator problem.

Regarding the cleanup of the clearpass itself, do you think having over 300 000 endpoints in the endpoints repository its an issue or it will be an issue reaching at a specific number?

If the client would like to run a cleanup every x days at what time does the clearpass does this clean up?  what is the impact on the clearpass if i set it each 7 days and in day 7th it needs to delete all those 300 000 entries?
Original Message:
Sent: Dec 21, 2022 04:57 AM
From: Herman Robers
Subject: Managing Endpoint database

The change in cleanup schedule is that before 6.10, the 'create' timestamp was used for the cleanup, which is not what people would expect. Starting 6.10 the 'last seen' is used, more logical. But you are right that with the cleanup you cleanup everything, except if you use the known/unknown flag to more selectively cleanup. Another option would be to use the API and cleanup to a fully custom schedule.

Thinking once more, the MAC Randomization in modern devices basically breaks your rule that only 2 unique devices can be used as the MAC cannot be used to determine if it is a unique device. There may be several solutions to this, like dropping the requirement of max 2 unique devices, switch to a requirement of 2 concurrent devices, ignore devices that have randomized MAC addresses (you could determine that with a Regex or use the random MAC detection in ClearPass 6.11), or include a timestamp in the endpoint database and customize your query that only includes MAC addresses belonging to a user that have been added in the last 2 hours for the check on unique devices. I'm not sure what is the idea behind these unique devices and offering only 2 hours of access, it sounds a bit too strict, but from a part of the world where internet bandwidth is unmetered and there is no real cost difference in how much connections/data is used, it may be easy talking.

In case you have trouble how to configure one of the options, your Aruba partner, or Aruba support may be able to assist as my experience is that you would need to configure - test - adapt in order to get this fine-tuned and optimized. Or you may need to try a few options to find out what works best.

If you still run ClearPass 6.6, be aware that this has been end-of-life/end-of-support for quite some time and there are known security vulnerabilities that are fixed in the still supported 6.9/6.10/6.11 version. I would recommend to upgrade or at least not expose a ClearPass 6.6 to the public.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 20, 2022 10:45 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello Harman thanks for taking your time in asnwering my message

Yes,  we are talking about captive portal with mac caching

Right now i remenber they are limiting for each account they just can register 2 devices, the rule is something like this

Also i remenber that i checked in the configuration they had configured 2 hours  for the account, the default value was changed from 24 hours to 2 hours.   I guess they wanted that the user could go register with the email and could stay in the store for to hours, and if they go come back another day they had to register again, or if they go to another store in another area in the city they had to register again.

I do remenber in the troubleshooting i was doing, they had a few devices that had the issue  that could not connect and they were in a loop of registration,  i saw the email they were using was on the limit of devices at least on the endpoint database they already had 2, so what i did was to delete one and that fixed the problem for all of them.
So i thogh that the problem here was the endpoint repository.
The problem here is that if they come with a new device or the mac address change then it would count as a device number 3 and it wont let that device get in the network, unless he use a new email.

I got you  one question
You said "So it's more flexible. The time in days in 6.10+ is the inactivity time of a client"

I was trying to look for that option because is the one i was looking to fix this but its not available, in your screenshot i dont see it, but in mine which is of the version 6.6 its available:


Here is your screenshoot where i cant find that option, and i cant find it as well on the client  cleanup options.
If you see in mine, i have the same options but i got one more option which is the one i wanted to use the "maximun inactive time for endpoints

Another way to fix iit it i guess is by enabling the database cleanup with the options i have available, but that would clean up all the devices.
If i turn that on for example to 7 days, at what time of the day if does this cleanup? how does this impact the clearpass if it has over 300 000 endpoints to delete?
If i turn on the cleanup for the expired guest account it just delete the expired guest accounts on the clearpass guest but it does not delete them from the endpoint repository  the endpoints associated with that account right?



Original Message:
Sent: Dec 20, 2022 06:06 AM
From: Herman Robers
Subject: Managing Endpoint database

Not fully sure what you try to do. You mention guest and register devices, but also endpoint database.

Device registration will use the [Guest Device Repository], not the Endpoint database (for the device limitation).
What you describe looks more like Guest Captive Portal and MAC Caching, where you store the username in the endpoint and check that there are no more than 2 of those. What is more common is the use of the Session Limit Post Authentication enforcement, that will disconnect sessions that are above the number you configured (2).

If you still want to use the endpoint repository, the item you highlighted has moved into multiple new cleanup intervals:
So it's more flexible. The time in days in 6.10+ is the inactivity time of a client.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 17, 2022 11:02 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello guys
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem

2-Any ideas on how to work with this?

Thank you Herman!
Original Message:
Sent: Dec 22, 2022 04:21 AM
From: Herman Robers
Subject: Managing Endpoint database

I don't think 300k endpoints in the database is an issue, maybe if you clean out 280k the first time after you enabled the cleanup options, but these numbers just sitting in a database should not really put a big hit on the system.

The cleanup seems to run on 2:45 (AM) in the local timezone of the ClearPass publisher. You can check in the Event Viewer, because the Auto Cleanup is recorded there:
Because it is running in the night, the practical impact should be relatively small.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 21, 2022 09:52 AM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello Herman thanks for your reply!
I see good options there, i was not aware of the mac ramdomizator detector on 6.11, i can talk with the client to see if we upgrade it to solve the mac randomizator problem.

Regarding the cleanup of the clearpass itself, do you think having over 300 000 endpoints in the endpoints repository its an issue or it will be an issue reaching at a specific number?

If the client would like to run a cleanup every x days at what time does the clearpass does this clean up?  what is the impact on the clearpass if i set it each 7 days and in day 7th it needs to delete all those 300 000 entries?
Original Message:
Sent: Dec 21, 2022 04:57 AM
From: Herman Robers
Subject: Managing Endpoint database

The change in cleanup schedule is that before 6.10, the 'create' timestamp was used for the cleanup, which is not what people would expect. Starting 6.10 the 'last seen' is used, more logical. But you are right that with the cleanup you cleanup everything, except if you use the known/unknown flag to more selectively cleanup. Another option would be to use the API and cleanup to a fully custom schedule.

Thinking once more, the MAC Randomization in modern devices basically breaks your rule that only 2 unique devices can be used as the MAC cannot be used to determine if it is a unique device. There may be several solutions to this, like dropping the requirement of max 2 unique devices, switch to a requirement of 2 concurrent devices, ignore devices that have randomized MAC addresses (you could determine that with a Regex or use the random MAC detection in ClearPass 6.11), or include a timestamp in the endpoint database and customize your query that only includes MAC addresses belonging to a user that have been added in the last 2 hours for the check on unique devices. I'm not sure what is the idea behind these unique devices and offering only 2 hours of access, it sounds a bit too strict, but from a part of the world where internet bandwidth is unmetered and there is no real cost difference in how much connections/data is used, it may be easy talking.

In case you have trouble how to configure one of the options, your Aruba partner, or Aruba support may be able to assist as my experience is that you would need to configure - test - adapt in order to get this fine-tuned and optimized. Or you may need to try a few options to find out what works best.

If you still run ClearPass 6.6, be aware that this has been end-of-life/end-of-support for quite some time and there are known security vulnerabilities that are fixed in the still supported 6.9/6.10/6.11 version. I would recommend to upgrade or at least not expose a ClearPass 6.6 to the public.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 20, 2022 10:45 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello Harman thanks for taking your time in asnwering my message

Yes,  we are talking about captive portal with mac caching

Right now i remenber they are limiting for each account they just can register 2 devices, the rule is something like this

Also i remenber that i checked in the configuration they had configured 2 hours  for the account, the default value was changed from 24 hours to 2 hours.   I guess they wanted that the user could go register with the email and could stay in the store for to hours, and if they go come back another day they had to register again, or if they go to another store in another area in the city they had to register again.

I do remenber in the troubleshooting i was doing, they had a few devices that had the issue  that could not connect and they were in a loop of registration,  i saw the email they were using was on the limit of devices at least on the endpoint database they already had 2, so what i did was to delete one and that fixed the problem for all of them.
So i thogh that the problem here was the endpoint repository.
The problem here is that if they come with a new device or the mac address change then it would count as a device number 3 and it wont let that device get in the network, unless he use a new email.

I got you  one question
You said "So it's more flexible. The time in days in 6.10+ is the inactivity time of a client"

I was trying to look for that option because is the one i was looking to fix this but its not available, in your screenshot i dont see it, but in mine which is of the version 6.6 its available:


Here is your screenshoot where i cant find that option, and i cant find it as well on the client  cleanup options.
If you see in mine, i have the same options but i got one more option which is the one i wanted to use the "maximun inactive time for endpoints

Another way to fix iit it i guess is by enabling the database cleanup with the options i have available, but that would clean up all the devices.
If i turn that on for example to 7 days, at what time of the day if does this cleanup? how does this impact the clearpass if it has over 300 000 endpoints to delete?
If i turn on the cleanup for the expired guest account it just delete the expired guest accounts on the clearpass guest but it does not delete them from the endpoint repository  the endpoints associated with that account right?



Original Message:
Sent: Dec 20, 2022 06:06 AM
From: Herman Robers
Subject: Managing Endpoint database

Not fully sure what you try to do. You mention guest and register devices, but also endpoint database.

Device registration will use the [Guest Device Repository], not the Endpoint database (for the device limitation).
What you describe looks more like Guest Captive Portal and MAC Caching, where you store the username in the endpoint and check that there are no more than 2 of those. What is more common is the use of the Session Limit Post Authentication enforcement, that will disconnect sessions that are above the number you configured (2).

If you still want to use the endpoint repository, the item you highlighted has moved into multiple new cleanup intervals:
So it's more flexible. The time in days in 6.10+ is the inactivity time of a client.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 17, 2022 11:02 PM
From: Carlos De La Rosa
Subject: Managing Endpoint database

Hello guys
I have got a client that got about 300k endpoint entries in their endpoint database.

They have many locations and this is for guests only for now.

The problem we are facing here is that they just want that the user can register 2 devices with the same email.
The problem with this is that they are getting reports of the users not letting them in.
I had a session with them and I saw the rule and also test with them that the problem was the rule, did them a demo with a client that was not able to connect  deleting an entry of the endpoint database for that user, and then he was able to connect
Anyways.  I think that part of the problem could be the mac ramdomizator because if the user does for example an update to their cellpone it might use another mac address
They have a lot of sites and in each site, they have a cluster of instants.   I'm not sure if for each cluster even if the SSID is the same the device will change the mac address. because if that's true then we will have a big issue here. because if the user wants to go to another store in another place he might get another mac.  Not sure if this is like this.

Anyways i wanted to know the following
1-i remember that there was a feature in the Clearpass in which you could delete automatically an entry that was not in use for a few days but this option is not there anymore.
This is the option, was available on 6.6 as far i remenber:
I was planning on using this to solve the issue with the client but is not available in the 6.10 version

Now I don't have this option I'm not sure what would be the best way to deal with this.

Also, I would like to know if I did a cleanup every X days how it would affect them now they have 300 000 in that endpoint.
At what time does the Clearpass do this? I don't see it on the documentation.  If it does a cleanup of this massive amount of endpoints it would affect in any way the Clearpass?
If it does it at night time I guess there won't be a problem

2-Any ideas on how to work with this?