Security

Instead of doing MAB and maintaining static host lists or messing with manual endpoint creation, I want to let ClearPass profile non-802.1x devices such as phones, IP cameras, printers, etc to get them on the network.  For the devices to be profiled, the port has to fallback to web auth (this is needed for guests & vendors, anyway).  At this point, the device will have an IP (via DHCP in most cases) and can be profiled.  Once profiled, I want to send a CoA to bounce the port.  Upon coming back up, it should match an enforcement policy (ex: endpoint repository: category = access point) and the device will be online.

I don't know how to accomplish sending the CoA since the device will be provided after the service rule has finished processing.  Is there a way to perform profiling after?

If I'm going about this the wrong way, please let me know how else I can accomplish this.

In your service definition, in the Service tab, behind More Options, check the 'Profile Endpoints' box.

Then an additional tab appears in your service definition: Profiler.

In that tab, you can select upon what profiled endpoint classifications a RADIUS CoA must be triggered.

That CoA will be triggered even after the service has been finished, and the device has been authenticated.

Does this solve your question?

I will have to test, but my intial thinking is no.  For instance, if a device is profiled and I send a CoA that bounces the port so that it match an enforcement profile upon coming back up, won't the port just get bounced again when the endpoint profiler piece runs?

On second thought, maybe that won't be a problem.

If my webauth service has endpoint profiler enabled, this is where the device will be profiled and port bounced.  If a MAB service that matches profiled devices is above the webauth service, then the device should match the MAB service and endpoint profiler won't run since it won't be enabled on the MAB service.  This should work, I'm just not sure if this is the best way of tackling the problem.

One question about the endpoint profiler.  What kind of profiling will it do to the device?  I want to be sure that devices with static IPs are recognized soon after connecting since the subnet scan only runs every 24 hours.  If endpoint profiler does an SNMP query to the device automatically, than its a moot point.

Compnerd,

Looking at your post, there are quite a few considerations to your possible deployment and they can be listed as such:

- What is my infrastructure hardware and software support to provide the solution that I require?

- Will my hardware support all the feaures necessary to provide this service?

- If my hardware supports it, does it have the software to support it?

- If I want to do mac authentication for static endpoints, do I want to to even do something like an NMAP scan which will take some time to execute to determine the OS and other attributes?

- How do I want to enumerate and keep track of those statically ip addressed devices and what OS, platform do I compare them to?

- How will I troubleshoot those devices?  Wired MAB, unless you are doing it already has to be a big challenge by itself, but even more of a challenge to your helpdesk who would get the first call if there is a problem

- What types of devices do you want to do this with, and what is their behavior?

- Do you have phones that have hosts behind them and do you have to provide differentiated access for those hosts?

The long story short is that you probably need to figure out what you have in the first place so that you can get a real picture of your challenge ahead.  After that, once you get a list of devices and how they end up on the network, what can you use to identify them?  In parallel, you will need to identify your switching infrastructure and what features they support to determine if what you want is even possible with the combination of those devices, your infrastructure hardware and software.  You also need to understand how to troubleshoot devices that do not function correctly and have a procedure of how helpdesk all the way up to the highest levels of support will use tools to make determinations about those.  In parallel, you will need to run a pilot in a closed space to gather all of the information in this paragraph realtime to understand what you can an cannot do.

Users on this forum can give you answers here and there about bits and parts of this, but it is probably up to you to establish a project to determine if a direction you take is even supportable with your hardware/software/and your ability to support such a solution.  Get the big pieces in place, which is connectivity and then get testing and devices in a lab to see what you are capable of in your own environment.....

EDIT:

With that being said, it can be maddening to understand what will and will not work in your environment.  It seems like you have a good head start on figuring that out.