Security

I have ClearPass Onboard, Policy Manager (with Profile license) but I'm not seeing any information regarding Onboarded devices under Live Monitoring -> Endpoint Profiler.  It just says "ClearPass Profile has not received any endpoint information."

 

There's very little useful documentation on CPPM and ClearPass Onboard (no documentation exists for Clearpass/Amigopod 3.9 actually).  How do I get endpoint information into CPPM?

Mike,

 

Do you have the following configured?

 

 

Hi Colin - Yes, all that is configured.  Is anything supposed to go here, under Endpoint Attributes?

 

You do not need anything under advanced.

 

Are you trying to register onboard client info in cppm or guest?  In addition, are you using CPPM 5.1?

 

Yes, I'm running CPPM 5.1.  What I'm trying to do is get device information into CPPM so I can make enforcement decisions based on device type (iOS or Android) and then also device serial number so I can tell if it's personal or corporate liable.

Perfectly valid.  That info should only come across after a device has been successfully "onboarded".  Do you have any successfully onboarded devices in the Onboard> Certificate Management section?

Yes, I have an iPad and two Android devices Onboarded.  I'm going to try again.  I changed the CPPM server from using a hostname to an IP address in the Clearpass setup.  May that was causing some issue.

---

@mike.j.gallagher wrote:

Yes, I have an iPad and two Android devices Onboarded.  I'm going to try again.  I changed the CPPM server from using a hostname to an IP address in the Clearpass setup.  May that was causing some issue.

---

Entirely possible.  Use the Administrator> Network Setup> Network diagnostics tab to test your DNS resolution.

 

I'll get back to you on this, Colin.  After changing the CPPM host name to an IP address, I tried to revoke a cert on Onboard and the two aren't talking any more.  Onboard obviously didn't like that being changed at all.  I'm rebooting both now to see if that will help.

Mike,

 

There is currently a bug with "Onboard" or Amigopod revoking certs for non-IOS devices.  Delete them manually from CPPM, for now as well.

 

Ok, will do.  It worked fine previously, but I did just upgrade to Onboard 3.9.1 today.

Looks like profiling is working now.  I was missing a checkbox in the CPPM setup.  Thanks for the help, Colin.

 

 

 

A bit more information on this.  ClearPass Policy Manager does not support profiling iOS 5.x devices, that's why I wasn't getting the device information.

Just some quick background on this point regarding iOS 5.x - Apple removed the API call to query the device MAC address in their 5.x release that used to be available in the 4.x releases. Our engineering team is working on an alternative method to recover the MAC address and based on this we will be able to restore the ability to write to both endpoint and profile databases on CPPM.

We worked with Mike and demontrated how you can key off a value such as device type, serial number, etc which are also stored in the system to get the desired effect.  We will then update the endpoint table (MAC address) as known after the AAA sessions commence.  We do fully support iOS 5.x, due to the quirks in apples API we just use a different value than MAC address to key off for authorization.  Note that this same mechanism can be used for all types of devices, not just iOS 5.x

 

We are now working with Mike on using an external asset register (or a direct import to CPPM of known devices) to differentiate between corporate owned devices and BYOD.  We will keep the community posted and share back any details, likely to use serial number as the trigger point.

 

Happy Onboarding!

 

Carlos