Security

Reply
Highlighted
MVP Expert
MVP Expert

Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

I focus a strange issue in Clearpass 6.7.3.

 

When a wired endpoint connect the first time, dhcp fingerprint works correctly, profiling profiled it as computer, do a correct COA session termination.

 

But when i remove the endpoint and reconnect the endpoint within 5 minutes DCHP Fingerprint is not received and profiling dont happens.

 

I stubble this issue for two weeks now. Google, aruba documentation and other topics here dont give me the answer.

 

I hope that some CP experts here can help me with solve this issue.

 

See attachment with screenshots and detailed information.

 

 

 

 

 

 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.

Accepted Solutions
Moderator

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

Devices are not reprofiled within a 5 minute window.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted
MVP Expert
MVP Expert

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

Hi Cappalli,

 

Thanks for the quick and clear answer, appreciate your involvement on airheads!

 

So... From a hackers mind, it knowns that printer are mostly not accept 802.1x. So i turn off and on a printer, its profiled again as printer (conflict will be true). I reconnect within 5min with my MAC spoofed notebook, and iam in your Printer vlan (without a conflict). Hopefully the printer vlan is protected by the firewall ;)

 

Is there some good reason why dhcp profiling only take place once again after 5 minutes. It maybe could a nice feature. I dont think it should take a lot more of resources of CP because it isnt a normal behavior of a normal client.

 

Thanks for help me out here!

 

 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.

View solution in original post


All Replies
Moderator

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

Devices are not reprofiled within a 5 minute window.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted
MVP Expert
MVP Expert

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

Hi Cappalli,

 

Thanks for the quick and clear answer, appreciate your involvement on airheads!

 

So... From a hackers mind, it knowns that printer are mostly not accept 802.1x. So i turn off and on a printer, its profiled again as printer (conflict will be true). I reconnect within 5min with my MAC spoofed notebook, and iam in your Printer vlan (without a conflict). Hopefully the printer vlan is protected by the firewall ;)

 

Is there some good reason why dhcp profiling only take place once again after 5 minutes. It maybe could a nice feature. I dont think it should take a lot more of resources of CP because it isnt a normal behavior of a normal client.

 

Thanks for help me out here!

 

 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.

View solution in original post

Highlighted
MVP Expert
MVP Expert

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

Ok finally, with your hint,  i found the explanation :)

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-limitation-in-ClearPass-for-DHCP-based-profiling/ta-p/216413

 

Good to now :)

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Highlighted
Moderator

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

Why would a headless network be more privileged than an end user?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor II

Re: Endpoint Profiler DCHP Fingerprint No Update at Re-Connect Wired MAC-auth

So to confirm, this is not a configurable interval.  I have been experiencing this same issue when converting our devices to MAC Auth Network Access Control.  I will see them fail becuase they don't get profiled, or they fail to import the profile to the endpoint database.  Then I see a number of minutes later that we re-enable NAC and it works like a charm and gets profiled.  

 

Just seems like an odd limitation.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: