IF-MAP support in Aruba controller for device profiling in ClearPass

MVP
MVP

Q:

The need for using additional knobs in clearpass and controller arises when DHCP fingerprints alone cannot fully classify a device.

 

A common example is the Apple family of smart devices; DHCP fingerprints cannot distinguish between an Apple iPad and an iPhone. In these scenarios, User-Agent strings sent by browsers in the HTTP protocol are useful to further refine classification results.

 

User-Agent strings are collected from:

• ClearPass Guest

• ClearPass Onboard

• Aruba controller through IF-MAP interface

Guest and Onboard automatically collect User-Agent strings The IF-MAP interface needs to be enabled on the ClearPass server and configured on the Aruba Controller. 

 



A:

ClearPass uses a series of collectors to profile devices. These collectors receive information about each device and profile it for Device Category, Device OS family, Device Name, and Host Name. These device attributes can then be used to assign the correct authorization roles to the device. 

Passive Collectors monitor and analyze information either sent directly to ClearPass or received on a ClearPass span port. 

In this case, we are going to use IFMAP configuration knob in Aruba controller. Configure the ArubaOS controller to send profile information that it has learnt to guest ClearPass cluster data ports. 

Guest and Onboard automatically collect User-Agent strings. The IF-MAP interface needs to be enabled on the ClearPass server and configured on the Aruba Controller

 

Aruba Controller Configuration

Configure the IF-MAP interface on the Aruba controller:

(host) (config) #ifmap

(host) (config) #ifmap cppm 

(host) (CPPM IF-MAP Profile) #server host port username passwd

(host) (CPPM IF-MAP Profile) #enable

 

NOTE: The root CA of the ClearPass HTTPS certificate must be uploaded to the controller as a TrustedCA.

 

 

 

Version history
Revision #:
3 of 3
Last update:
‎09-22-2018 09:58 AM
Updated by:
 
Labels (2)
Contributors
Comments
It's not clear if this a passive action by the controller from intercepting http traffic or if it requires users to browse to the controller.