Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Switch collector not identifying Arbua AP

This thread has been viewed 5 times
  • 1.  Switch collector not identifying Arbua AP

    MVP EXPERT
    Posted Nov 28, 2023 10:28 AM

    Hi,

    2930 switch WC.16.11.13, cppm 6.11.5

    I have some aruba 225 APs connectted to  a 2930 switch with device -fingerprinting enabled. (dhpc,lldp, http) The APs are using static IP addresses

    in clearpass it identifies the device as /Generic/Aruba and not as /Access Points/Aruba/ArubaAP. Looking in endpoints under device fingerprints i can see that  LLDP System Desciption = "ArubaOS (Model 225), Version Aruba AP"

    shouldnt cppm use the lldp info to  create  the correct endpoint fingerprint?

    Can  create a custom fingerprint specficially for  that lldp entry and assign the fingerprint,m but shouldnt  cppm do that?

    A



  • 2.  RE: Switch collector not identifying Arbua AP

    Posted Nov 29, 2023 01:41 AM

    Hello how you send information to clearpass to profile ? DHCP fingerprinting , snmp information from the switch ? 

    This is just an example from my environment 




  • 3.  RE: Switch collector not identifying Arbua AP

    MVP EXPERT
    Posted Nov 29, 2023 04:44 AM
    Enabled device fingerprinting on switch covering dhcp,lldp and. http

    device-fingerprinting timer 60
    device-fingerprinting policy "nd-dev-policy"
    dhcp
    http
    lldp
    exit
    device-fingerprinting apply policy "nd-dev-policy" 2-8

    In this case AP has a static IP so dhcp collector not in operation
    But does return lldc info




  • 4.  RE: Switch collector not identifying Arbua AP

    MVP EXPERT
    Posted Nov 29, 2023 04:50 AM
    Forgot to mention yes your device fingerprint looks fine, but if you go to endpoints and look at the end-host-profile in my case, when an ap has a static ip you don’t get Access Points/ Aruba/ ArubnaAP you get General/Aruba/….. so its just using the Mac OUI to identify the device

    So if you’re assigning aa role based upon th end-host-profile it fails

    Solved it by adding a custom fingerprint checking for Aruba OUI and. Lldp having a string particular to an ap 225
    A