Security

Been looking at using endpoint profile data to auto allow certain devices to get limited connectivity... ie game consoles/printers etc without user intervention/registration

 

dhcp fingerprinting is enough for some devices , ie a 3ds

but playing with an amazon echo.... initially it is picked up as generic android device.

 

I know they'll eventually get profiled as home av/amazon/echo - assuming clearpass gets info from http headers etc....   so then is there a general provisioning role I can put devices in for ....1...5... or 10 minutes where they should have been fully profiled.   Does the provisioning role need to have any access - or just a http(s) redirect so clearpass can see any http(s) traffic it attempts and use that for fingerprinting a more specific profile?

 

Anyone doing anything like this with devices that need more than dhcp fingerprint to be fully identified?  what device and what have you found is required for full identification?

 

or is this a fool's quest and I need to get back to working on MacTrac 

Unfortunately it depends on the behavior of the device especially with so
many of these headless devices running Android on the back end. The
ClearPass Device Registration portal is highly recommended in university
environments as it adds user context and role based access controls.

Definately looking at making a device registration portal - but wanted to see about making some things just "work"  vs having a bunch of 40Mhz "mysuperwificauseeduroamsuxors" ssid's on channel 4 show up in the dorms....  anything that I can do to make the official wifi work vs pushing users toward rogue AP's I think would be worth the effort.

 

that and I know how much the helpdesk loves to walk users through collecting  MAC addresses...  so even if I don't permit access - being able to identify the correct mac to register from the backend would be useful as well.

If the Aruba Controller sees the http on the device first, you can forward that OS information via IFMAP to ClearPass:  http://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/CPPM-ifmap.htm?Highlight=ifmap

 

For example: using DHCP fingerprinting an ipad and an iphone look the same, but using HTTP User Agent Strings and mDNS broadcast information on the controller you can detect the difference and forward that information to ClearPass using ifmap.

 

Typically there is only a helper address pointing to clearpass, so it will only get DHCP fingerprint information that might only indicate "Android", unless the device opens a page on the clearpass device.  Forwarding http user agent string information from the controller could help.

Cool - had not come across ifmap before - I will look into that.... but also need to play with the echo more.... as I recall - clearpass saw it as an android device.... then I used my iphone to set it up on our guest ssid - so the echo proxied the webauth from the iphone - the controller then saw the device as an iphone.....  :)

 

so I guess with ifmap cppm would then think its an iphone....

perhaps the next "native" request from the then authenticated echo would have the correct user-agent??

 

 

Try it and let us know.  The OS should show up in the user table.  If the device does not communicate over port 80 using http requests, the controller cannot identify it further, however.

 

 

So I added this as a registered device... and it has been active - used it a few times - but still my endpoint DB just shows it as a generic android device... 

 

I'll try to see what traffic is coming from the device... I've seen others in my endpoint DB get more specifically profiled - and these likely from devices that have not been able to get full access.

 

I'll add more updates as I learn more