Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Signature Collected Seen Differently Almost Every Occasions

This thread has been viewed 34 times

  • 1.  Signature Collected Seen Differently Almost Every Occasions

    Posted Feb 13, 2023 05:27 AM

    Hi All,

    We are doing DHCP profiling to collect a signature collection, and this signatures will then be used as rules to permit/deny endpoints into the network.

    We see some weird behavior where one MAC address can send a different DHCP properties in different occasions it connects to the network. So when this happens, the previously collected fingerprints are 'obsolete', does not hit any rules, and get denied (hit the default profile).

    Have you guys seen this kind of behavior before ? From your perspectives, is it the endpoint issue, or clearpass issue ?

    I opened a TAC case 5371355052.

    Attached the fingerprints collected. So far we just have 2 devices (2 mac addresses) connected but we got 7 different fingerprints collected.

    Attachment(s)

    txt
    combinations-fields.txt   766 B 1 version
    xml
    fingerprint-collected-as-13feb2023.xml   3 KB 1 version


  • 2.  RE: Signature Collected Seen Differently Almost Every Occasions

    EMPLOYEE
    Posted Feb 14, 2023 07:02 AM

    Assuming ClearPass is in use here for DHCP Profiling.

    Is the MAC address of the client randomising on reboot? Apparently this is a feature of network-manager on the Pi. Removing this package may result in more stable behaviour. Please let us know what you find out.


    Original Message


  • 3.  RE: Signature Collected Seen Differently Almost Every Occasions

    Posted Mar 01, 2023 04:23 AM

    Hello there,

    the Pi vendor says that they statically configure the MAC address. Is this done via the network manager itself as well ? If so then maybe the vendor knows where is this network manager package is and they know how to remove it as well.

    Let me get back to you some time later on the status of network-manager and the removal of it.


    Original Message


  • 4.  RE: Signature Collected Seen Differently Almost Every Occasions

    MVP EXPERT
    Posted Feb 14, 2023 07:33 AM
    So given fact that Mac out says its a Pi, silly question, its not booting into different operating systems is it ?

    2 devices using same Mac address ?

    I’ve seen that before for e.g. TVs where you upgrade there firmware and the DHCP options change between. Firmware releases.

    I normally create a custom fingerprint that covers all device types so once I’ve ascertained that both sets are really coming from the same host, you can from endpoints create a custom fingerprint. Covering all possible DHCP option combinations for a given device so you end u with one. Category/os family/device name from which you can create a role and act upon it


    A


    Original Message


  • 5.  RE: Signature Collected Seen Differently Almost Every Occasions

    Posted Mar 01, 2023 04:32 AM

    Hello there,

    2 devices different mac addresses.

    They said they configure the mac address statically on both device.

    Some of my colleagues from previous deployment also said that it is normal to see a device changing fingerprint (this is in terms of dhcpOptions values).

    What I've seen so far is , dhcpOptions55 values are rarely changing, only the dhcpOptions is more likely to change, and the number 50 and number 54 are the ones that having more chances to be missing from the array of numbers.

    I tried changing the content of the dhclient.conf file in the Pi and even emptying it , and it can make a difference in terms of what I capture in the ClearPass, 

    BUT, after doing the `dhclient -v` command + reboot, the original values came back.

    Sometimes when I trigger CoA from ClearPass, number 50 or 54 is missing, but after sometime it is there again, so I don't really know when these numbers will be missing, when it will not. All I can do is just what you suggested, every time it gives a different values, I capture it under the Dictionaries > Device Fingerprints, so it is like collecting all the possible values that this device may send.

    Thanks for the reply by the way and hope we can discuss further about this topic.

    Thanks.


    Original Message


  • 6.  RE: Signature Collected Seen Differently Almost Every Occasions

    MVP EXPERT
    Posted Mar 23, 2023 01:37 PM
    Yeah had issues with TVs when
    You
    Did a firmware update , dhcp options changed and fi get print changed
    A
    Sent from my iPhone



    Original Message


  • 7.  RE: Signature Collected Seen Differently Almost Every Occasions

    Posted Mar 24, 2023 08:57 AM

    Anyone implemented TCP Fingerprint on production environment?

    • How reliable is it overtime to be regarded as rule condition whether to allow/deny (in short I want to use the value collected from the TCP Fingerprinting (for example) as the rule condition)
    • Is this TCP Fingerprint performed manually a.k.a. on-demand?
    • Can the TAC remove Data port IP if I already configured it? For example I want to utilize Data port to do TCP Fingerprint in C1000
    • Is C1000 strong enough to handle all mirrored traffic / simply to do this TCP Fingerprinting?
    • To do TCP Fingerprinting at the first place, do I have to allow all TCP traffic from every endpoint subnet to the C1000 Data port?

    Thanks in advance to all the upcoming answers :)


    Original Message


  • 8.  RE: Signature Collected Seen Differently Almost Every Occasions

    EMPLOYEE
    Posted Mar 28, 2023 04:15 AM

    TCP Fingerprinting is out of topic for this post. Please create a separate post. I don't see TCP fingerprinting used a lot, because you would need to find a way to get copies of traffic to the secondary port of your ClearPass, and it does not provide too much benefit over easier methods like DHCP Fingerprint or SNMP scans. Think you can just remove the IP address information of your data port in the WebUI to remove it.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message