Security

I focus a strange issue in Clearpass 6.7.3.

When a wired endpoint connect the first time, dhcp fingerprint works correctly, profiling profiled it as computer, do a correct COA session termination.

But when i remove the endpoint and reconnect the endpoint within 5 minutes DCHP Fingerprint is not received and profiling dont happens.

I stubble this issue for two weeks now. Google, aruba documentation and other topics here dont give me the answer.

I hope that some CP experts here can help me with solve this issue.

See attachment with screenshots and detailed information.

Attachment(s)

DCHP Fingerprint ISSUE.pdf   905 KB 1 version

Hi Cappalli,

Thanks for the quick and clear answer, appreciate your involvement on airheads!

So... From a hackers mind, it knowns that printer are mostly not accept 802.1x. So i turn off and on a printer, its profiled again as printer (conflict will be true). I reconnect within 5min with my MAC spoofed notebook, and iam in your Printer vlan (without a conflict). Hopefully the printer vlan is protected by the firewall ;)

Is there some good reason why dhcp profiling only take place once again after 5 minutes. It maybe could a nice feature. I dont think it should take a lot more of resources of CP because it isnt a normal behavior of a normal client.

Thanks for help me out here!

Ok finally, with your hint,  i found the explanation :)

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-limitation-in-ClearPass-for-DHCP-based-profiling/ta-p/216413

Good to now :)

So to confirm, this is not a configurable interval.  I have been experiencing this same issue when converting our devices to MAC Auth Network Access Control.  I will see them fail becuase they don't get profiled, or they fail to import the profile to the endpoint database.  Then I see a number of minutes later that we re-enable NAC and it works like a charm and gets profiled.  

Just seems like an odd limitation.