Security

 View Only
Expand all | Collapse all

What causes profiler conflicts?

This thread has been viewed 31 times
  • 1.  What causes profiler conflicts?

    Posted Oct 04, 2024 09:22 AM

    Hey,

    I'm working on a new authentication workflow and was looking at using profiler conflicts. I saw that my computer in test had a profiler conflict. When I looked into it a bit more, I saw that the Device Name field in the endpoint was somehow overwritten with my computer's hostname. I'm running 6.11.9 in test. Curious what's happening that is causing this. Picture below.

    What's even weirder is that it's trying to resolve it to an iPhone which is most certainly is not. What might be going on here?



  • 2.  RE: What causes profiler conflicts?

    Posted Oct 04, 2024 09:58 AM

    There is a setting to modify the conflict behavior, but by default a change in the Category will result in the endpoint being marked as in conflict.  Decent chance that your device was initially profiled using older (or incomplete) profiling information that has since then been updated.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: What causes profiler conflicts?

    Posted Oct 04, 2024 10:05 AM

    I assume you're referring to the cluster wide profiler parameters? Conflict detection strict mode?

    But I guess I'm failing to understand why the device name was overwritten. All testing has been done in this cluster, so I'm not sure why profiling would be incomplete in this scenario. The only variable here really is that I'm testing both Aruba and Cisco wireless systems with the same machines against this cpass cluster.

    What is the behavior that leads the endpoint Device Name to update? These have to match the device attribute dictionaries and obviously Max's MBP Work is not a valid device name within Computer - Apple Mac. Mac OS X is the only valid Device Name. 




  • 4.  RE: What causes profiler conflicts?

    Posted Oct 04, 2024 10:20 AM

    Yes.

    Do you have any custom fingerprints loaded?  If not, this could be/have been a bug.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: What causes profiler conflicts?

    Posted Oct 04, 2024 10:27 AM

    No custom fingerprints on the test cluster. I will continue to do testing to see if I can replicate the issue and if I can, I will contact TAC.

    Appreciate your help. Any other recommendations or suggestions? Do you usually keep conflict detection on default medium or have you found it better to loosen the restriction? Not asking for advice for my environment, just curious what you've done historically.




  • 6.  RE: What causes profiler conflicts?

    Posted Oct 04, 2024 10:54 AM

    I've only ever had to use the default option.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: What causes profiler conflicts?

    Posted Oct 04, 2024 11:01 AM

    Thanks for your insight Carson. I will update this thread if I'm able to recreate the issue.




  • 8.  RE: What causes profiler conflicts?

    Posted Oct 05, 2024 03:55 AM
    Hi
    So host name of your device probably reflecting what is in dhcp option passed to cppm.
    As for thinking it’s a different type of apple device , seem that where user_agent_string has a component common to macOS and iOS and cppm gets it wrong
    A
    Sent from my iPhone




  • 9.  RE: What causes profiler conflicts?

    Posted Oct 05, 2024 04:32 AM

    The fingerprints used are displayed in the Device Fingerprints tab in the endpoint. What do you see when you click on the tab?



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 10.  RE: What causes profiler conflicts?

    Posted Oct 07, 2024 09:08 AM
    Edited by MT9 Oct 07, 2024 09:09 AM

    Interesting theory. What DHCP option are you referring to specifically? I will do some digging in our Infoblox environment to see what extra options are being passed back.

    As for the Device Fingerprints tab right now it shows what I corrected it to, but if I can get it to recur I will check. Unfortunately I did not check that last time. Silly me, I should've looked at that. But what I do see is Max's MBP Pro is an attribute for DeviceName. Maybe that's telling.




  • 11.  RE: What causes profiler conflicts?

    Posted Oct 07, 2024 09:45 AM
    Ok so for my iPhone run Ning iOS 18 on my home network,
    ClearPass sees the following options. DHCP option 12 is the phones hostname . Host User Agent os ff by default on a mobility controller I believe ( been a while) but you can switch it on.

    When you have a Mac and an iOS devices , theres some commonality in what you see in the user agent string between iOS and macOS and sometimes cppm gets it wrong

    On a wired network you can also ask for fingerprints to be based. Upon DHCP,lldp and. http




  • 12.  RE: What causes profiler conflicts?

    Posted Oct 07, 2024 10:15 AM
    Well, your host name is from the client not. Infoblox and normaly cppm is a DHCP sink from the client either at the switch or with ump forwarding at. L3. Also your mobility controller can use contents of option 12 as a client hostname but id guess that is still what the Client sends out.

    I use ISC KEA to tailor my DNS entries as I like for a given client but thats different
    A