Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

DHCP relay vs Device fingerprinting (ArubaOS-Switch) in ClearPass profiling

This thread has been viewed 5 times

  • 1.  DHCP relay vs Device fingerprinting (ArubaOS-Switch) in ClearPass profiling

    Posted Nov 17, 2019 11:55 PM

    Hello,

     

    Is there any difference in the information that the ClearPass obtains between DHCP relay method and Device fingerprinting feature on ArubaOS-Switch?

     

    Thank you.



  • 2.  RE: DHCP relay vs Device fingerprinting (ArubaOS-Switch) in ClearPass profiling

    EMPLOYEE
    Posted Nov 18, 2019 01:05 AM

    I believe this feature was added in AOS-S 16.06 version. Once you have configured the switch

    • to use ClearPass as RADIUS server,
    • "radius-server cppm identity"
    • device-fingerprinting policy

    then the switch after the fingerpint analysis will send the info to ClearPass. This will not replace the DHCP relay (IP helper) functionality but is in addition to it.



  • 3.  RE: DHCP relay vs Device fingerprinting (ArubaOS-Switch) in ClearPass profiling

    Posted Nov 18, 2019 04:02 AM

    When you config CPPM as secondary DHCP IP helper-address then CPPM can do device fingerprint using DHCP request detail.



  • 4.  RE: DHCP relay vs Device fingerprinting (ArubaOS-Switch) in ClearPass profiling

    EMPLOYEE
    Posted Nov 18, 2019 10:17 AM

    DFP on AOS-Switch is designed for static devices. You should continue to use DHCP finerprinting with DFP.



  • 5.  RE: DHCP relay vs Device fingerprinting (ArubaOS-Switch) in ClearPass profiling

    Posted Dec 02, 2019 10:57 AM

    Would it be a problem to add this to each switch port? Because in some cases you cannot be sure on what port static clients are patched...