IF-MAP support in Aruba controller for device profiling in ClearPass
The need for using additional knobs in clearpass and controller arises when DHCP fingerprints alone cannot fully classify a device.
A common example is the Apple family of smart devices; DHCP fingerprints cannot distinguish between an Apple iPad and an iPhone. In these scenarios, User-Agent strings sent by browsers in the HTTP protocol are useful to further refine classification results.
User-Agent strings are collected from:
• ClearPass Guest
• ClearPass Onboard
• Aruba controller through IF-MAP interface
Guest and Onboard automatically collect User-Agent strings The IF-MAP interface needs to be enabled on the ClearPass server and configured on the Aruba Controller.
ClearPass uses a series of collectors to profile devices. These collectors receive information about each device and profile it for Device Category, Device OS family, Device Name, and Host Name. These device attributes can then be used to assign the correct authorization roles to the device.
Passive Collectors monitor and analyze information either sent directly to ClearPass or received on a ClearPass span port.
In this case, we are going to use IFMAP configuration knob in Aruba controller. Configure the ArubaOS controller to send profile information that it has learnt to guest ClearPass cluster data ports.
Guest and Onboard automatically collect User-Agent strings. The IF-MAP interface needs to be enabled on the ClearPass server and configured on the Aruba Controller
Aruba Controller Configuration
Configure the IF-MAP interface on the Aruba controller:
(host) (config) #ifmap
(host) (config) #ifmap cppm
(host) (CPPM IF-MAP Profile) #server host port username passwd
(host) (CPPM IF-MAP Profile) #enable
NOTE: The root CA of the ClearPass HTTPS certificate must be uploaded to the controller as a TrustedCA.