Yeah had issues with TVs when
You
Did a firmware update , dhcp options changed and fi get print changed
Original Message:
Sent: 3/1/2023 4:32:00 AM
From: matchabear
Subject: RE: Signature Collected Seen Differently Almost Every Occasions
Hello there,
2 devices different mac addresses.
They said they configure the mac address statically on both device.
Some of my colleagues from previous deployment also said that it is normal to see a device changing fingerprint (this is in terms of dhcpOptions values).
What I've seen so far is , dhcpOptions55 values are rarely changing, only the dhcpOptions is more likely to change, and the number 50 and number 54 are the ones that having more chances to be missing from the array of numbers.
I tried changing the content of the dhclient.conf file in the Pi and even emptying it , and it can make a difference in terms of what I capture in the ClearPass,
BUT, after doing the `dhclient -v` command + reboot, the original values came back.
Sometimes when I trigger CoA from ClearPass, number 50 or 54 is missing, but after sometime it is there again, so I don't really know when these numbers will be missing, when it will not. All I can do is just what you suggested, every time it gives a different values, I capture it under the Dictionaries > Device Fingerprints, so it is like collecting all the possible values that this device may send.
Thanks for the reply by the way and hope we can discuss further about this topic.
Thanks.
Original Message:
Sent: Feb 14, 2023 07:32 AM
From: alexs-nd
Subject: Signature Collected Seen Differently Almost Every Occasions
So given fact that Mac out says its a Pi, silly question, its not booting into different operating systems is it ?
2 devices using same Mac address ?
I've seen that before for e.g. TVs where you upgrade there firmware and the DHCP options change between. Firmware releases.
I normally create a custom fingerprint that covers all device types so once I've ascertained that both sets are really coming from the same host, you can from endpoints create a custom fingerprint. Covering all possible DHCP option combinations for a given device so you end u with one. Category/os family/device name from which you can create a role and act upon it
A
Original Message:
Sent: 2/13/2023 5:27:00 AM
From: matchabear
Subject: Signature Collected Seen Differently Almost Every Occasions
Hi All,
We are doing DHCP profiling to collect a signature collection, and this signatures will then be used as rules to permit/deny endpoints into the network.
We see some weird behavior where one MAC address can send a different DHCP properties in different occasions it connects to the network. So when this happens, the previously collected fingerprints are 'obsolete', does not hit any rules, and get denied (hit the default profile).
Have you guys seen this kind of behavior before ? From your perspectives, is it the endpoint issue, or clearpass issue ?
I opened a TAC case 5371355052.
Attached the fingerprints collected. So far we just have 2 devices (2 mac addresses) connected but we got 7 different fingerprints collected.