Security

last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Failed to get value for attributes during profiling

This thread has been viewed 21 times

  • 1.  Failed to get value for attributes during profiling

    Posted Oct 03, 2014 11:43 AM

    Hi all,

     

    I got an error that the attributes for some device were not extracted successfully when we were during profiling. The plan was to throw them to a different role it it was a smartdevice. Error will be something like "Failed to get value for attributes" for device os when we check access tracker.

     

    Anyone encountered a similar problem before?

     

    Thanks.

     

    Regards,

    Victor



  • 2.  RE: Failed to get value for attributes during profiling

    EMPLOYEE
    Posted Oct 03, 2014 11:43 AM

    Is this a new device or one that exists already in the endpoints DB?



  • 3.  RE: Failed to get value for attributes during profiling

    EMPLOYEE
    Posted Oct 03, 2014 11:44 AM

    That will happen when the device first authenticates and hasn't been profiled yet.

     

    You'll need to

    - enable the profiling option in your service and select smartdevice from the drop down menu.

    - ensure that the endpoint database is an authorization source

    - create a rule in your enforcement profile that checks to see if the profile attributes are present, and if they're not, put the user into a limited role that allows at least DHCP so profiling can occur.

     

     

     



  • 4.  RE: Failed to get value for attributes during profiling

    Posted Oct 03, 2014 02:11 PM

    As Seth pointed out this happens when it is a new device and ClearPass has not learned or profiled before

     

    So if you are making policy decisions based on the profile information from the endpoint database the first time the device connects it won't hit any of the rules of your enforcement policy .

     

    What you need to do is the following :

     

    You need to add a catch all rule that if the device hasnt been profiled it will be allowed to get DHCP for brief time and then the device will get CoA and then next time it comes through it will hit whatever the rule you specified.

    2014-10-03 14_06_57-ClearPass Policy Manager - Aruba Networks.png

     

    In order for this to work you need to configure ClearPass as DHCP relay and as cappalli said you need to add the endpoint DB as your authorization source



  • 5.  RE: Failed to get value for attributes during profiling

    Posted Oct 03, 2014 10:14 PM
    Hi guys,

    Thanks for the reply.

    I had created a condition that the new device will
    1) get dhcp assigned ip with dhcp relay pointing to clearpass for profiling
    2) endpoint classification with coa to terminate the session if it is a smart device
    3) assign the smartdevice to a byod role if it is a smart device after profiling

    Let me check my settings again

    Thanks :)


  • 6.  RE: Failed to get value for attributes during profiling

    EMPLOYEE
    Posted Oct 03, 2014 10:18 PM
    Do you have helper addresses on your layer 3 interfaces pointing to clearpass?


  • 7.  RE: Failed to get value for attributes during profiling

    Posted Oct 04, 2014 09:42 PM
    Hi Tim,

    Yup. It seems only some devices are affected. Maybe I have missed out some for certain Vlans. I am using vlan pooling so that might be the problem. I will verify again once get access to the system.

    Thanks for the pointer :)

    Regards,
    Victor