Security

Hey guys, 

i'm a bit confused atm, i'm trying to assign a role from DHCP fingerprint in clearpass but I can't find any documentation/examples on how to type in correctly the information in the value field.

I browsed to my iphone within the device tab and found the Fingerprints, then I created a rule using the ''CONTAINS'' operator and it's working fine. But, I would like to use ''EQUALS''.

 

I tried lot of different ways of typing in the Fingerprint, I also tried to copy the Input entry from the Access Tracker and paste it there, still not working.

Anyone here knows the exact syntax ?

Thank you !

You wouldn't use Fingerprints, you would use the Device Category, Device Name and/or Device OS Family options under Authorization:Endpoints Repository.

---

@cappalli wrote:

You wouldn't use Fingerprints, you would use the Device Category, Device Name and/or Device Type options under Authorization:Endpoints Repository.

---

Sorry, I forgot to mention that im using my Iphone for test purposes but eventually we will need to use the fingerprints for specific devices which are considered ''Unknown'' in the profiler.

Try using the full [" "] syntax.

 

Do you have the endpoints repository as an authorization source?

---

@cappalli wrote:

Try using the full [" "] syntax.

 

Do you have the endpoints repository as an authorization source?

---

I already tried using this syntax. Yes the repository is added, authentication is working fine when using ''CONTAINS''.

I also tried to copy/paste this whole string : 

 

So instead of this method which seems to be a bit of a hassle to manage, why not statically categorize those unknown endpoints into a known category OR add a custom attribute which you can call out in a service policy?

 

If there are unknowns, you can always forward them along to your Aruba SE or open up a case with TAC so that we can update them on the next fingerprint updates which happen twice a month.

---

@SethFiermonti wrote:

So instead of this method which seems to be a bit of a hassle to manage, why not statically categorize those unknown endpoints into a known category OR add a custom attribute which you can call out in a service policy?

 

If there are unknowns, you can always forward them along to your Aruba SE or open up a case with TAC so that we can update them on the next fingerprint updates which happen twice a month.

---

Well that's a lot of overhead, since everytime a new device of this type connects on the network I will need to categorize it or set an attribute. 

Thank you for your help, ill reach TAC with this issue. I just thought someone here could have known the exact syntax.

If there are enough known context variables, you can automate the tagging of the custom attribute I explained earlier. For example if the OUI from the MAC address is consistent and the host name contain a consistent string, you could then use that logic to tag the endpoint.

If the DHCP options are unique to this endpoint, we should be able to update our fingerprint database in the profiler.

---

@SethFiermonti wrote:
If there are enough known context variables, you can automate the tagging of the custom attribute I explained earlier. For example if the OUI from the MAC address is consistent and the host name contain a consistent string, you could then use that logic to tag the endpoint.

If the DHCP options are unique to this endpoint, we should be able to update our fingerprint database in the profiler.

---

Thanks for the answer, i'm combining MAC OUI and Vendor + CONTAINS field of the Fingerprint right now and it's working. It will be more than enough.

But i'm still curious about that syntax :)

Sure...it's a ClearPass Entity Update enforcement profile that you would use during the authentication of these devices...

 

Then create the "tag" you want to apply to this device...

 

 

You can creat your own customer Endpoint attributes in Administration --> Dictionaries --> Attributes

 

thanks a lot !