Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Implementation question - blocking end-point vendors

This thread has been viewed 2 times

  • 1.  Implementation question - blocking end-point vendors

    Posted Nov 15, 2012 10:16 AM

    Hello,

     

    we are interested in blocking ALL smartphones from our wifi solution.

    What I have done is the following:

    I have added the following under services-->enfo.

     

    This is working now and blocked Samsung S3 and apple devices.

    Is this a good way to implement or should I use profiler or a different option, I have full clearpass license.

    Any suggestions will be gladly appreciated.

     

    3.(Connection:Client-Mac-Vendor EQUALS Murata Manufacturing Co., Ltd.)[Deny Access Profile]
    4.(Connection:Client-Mac-Vendor EQUALS Apple, Inc.)

    [Deny Access Profile]



  • 2.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 08:01 AM

    see the question i asked in your other thread.

     

    personally i would go with ClearPass profile if you can. It gives more granularity, i.e. differentiate between iPads and iPhones i believe.



  • 3.  RE: Implementation question - blocking end-point vendors

    EMPLOYEE
    Posted Nov 19, 2012 08:04 AM

    In Role Mapping, try this:

     

    Authorization:Endpoints Repository Category Equals SmartDevice



  • 4.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 08:18 AM

    i tried it but it dosent seem to work.

    if i goto identity --> end point i can see my client mac address with profiled no status unknown.

     



  • 5.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 08:24 AM

    i also tried this role but still i can authenticate and connect

    (Authorization:[Endpoints Repository]:Device Name CONTAINS Android)Block_Devices


  • 6.  RE: Implementation question - blocking end-point vendors

    EMPLOYEE
    Posted Nov 19, 2012 08:28 AM

    Your endpoints repository only has basic information about your devices.  To get more information, you need to put an additional helper address on your wireless subnet to point to CPPM to collect that additional information and insert it into the Endpoints repository.  It will then be able to better classify those devices with more parameters, rather than just by mac address.

     



  • 7.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 08:35 AM

    can you elaboratre on "To get more information, you need to put an additional helper address on your wireless subnet to point to CPPM to collect that additional information and insert it into the Endpoints repository"

    what are the steps? is there a manual for this?

     



  • 8.  RE: Implementation question - blocking end-point vendors

    EMPLOYEE
    Posted Nov 19, 2012 09:13 AM
    @shpapy wrote:

    can you elaboratre on "To get more information, you need to put an additional helper address on your wireless subnet to point to CPPM to collect that additional information and insert it into the Endpoints repository"

    what are the steps? is there a manual for this?

     

    What version of ClearPass Policy Manager?

     

    Please download the User Guide from http://support.arubanetworks.com.  Do a search for "Endpoint Profiler" and it will give you details about how you can get the profiler to populate information into the endpoints database.

     

    The helper address is a command that is commonly used on a layer 3 interface of a router to send DHCP requests to a central DHCP server.  Putting a second helper address on a layer 3 interface and pointing it to the ip address of CPPM allows CPPM to obtain DHCP fingerprint information which will further populate the Endpoints database.   That will give you more information to check about your devices.

     



  • 9.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 10:18 AM

    so without adding the ip-helper the product cannot even identify smartphones at all...

    o.k guess i need to go over the switches



  • 10.  RE: Implementation question - blocking end-point vendors

    EMPLOYEE
    Posted Nov 19, 2012 08:21 AM
    Do you have a helper address on your wireless subnet pointing to cppm so your devices can be profiled?


  • 11.  RE: Implementation question - blocking end-point vendors

    EMPLOYEE
    Posted Nov 19, 2012 08:40 AM
    Do you have the profiler license? If you do, please search the user guide for profiler to ensure it is enabled.

    If you do not, ignore what I said.


  • 12.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 08:43 AM

    profiler is enabled as evaluation license in the product.

    but the endpoint mapping is empty my phone was not categorized not profiled or detected as android. While other pcs are listed OK in the endpoints list.

     



  • 13.  RE: Implementation question - blocking end-point vendors

    Posted Nov 19, 2012 08:59 AM
    2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 3cd0f8005930
    2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
    2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
    2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
    2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
    2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 h=12325 c=R0000032c-01-50aa3a71] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 h=12326 c=R0000032c-01-50aa3a71] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
    2012-11-19 14:56:03,072[RequestHandler-1-0x4431b940 r=R0000032c-01-50aa3a71 h=12327 c=R0000032c-01-50aa3a71] INFO Core.PETaskRoleMapping - Roles: Allow_Access, User Authenticated]
    2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12330 c=R0000032c-01-50aa3a71] INFO Core.PETaskEnforcement - EnfProfiles: PEAP_Active_Directory_Auth
    2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12331 c=R0000032c-01-50aa3a71] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12331 c=R0000032c-01-50aa3a71] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: PEAP_Active_Directory_Auth
    2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12331 c=R0000032c-01-50aa3a71] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12334 c=R0000032c-01-50aa3a71] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2012-11-19 14:56:03,076[RequestHandler-1-0x4431b940 r=R0000032c-01-50aa3a71 h=12332 c=R0000032c-01-50aa3a71] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
    2012-11-19 14:56:03,078[RequestHandler-1-0x4431b940 h=12336 c=R0000032c-01-50aa3a71] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2012-11-19 14:56:03,078[RequestHandler-1-0x4431b940 h=12336 c=R0000032c-01-50aa3a71] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2012-11-19 14:56:03,078[RequestHandler-1-0x4431b940 h=12335 c=R0000032c-01-50aa3a71] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2012-11-19 14:56:03,079[Th 2 Req 4516 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2012-11-19 14:56:03,079[Th 2 Req 4516 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2012-11-19 14:56:03,079[RequestHandler-1-0x4431b940 r=R0000032c-01-50aa3a71 h=12325 c=R0000032c-01-50aa3a71] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
    2012-11-19 14:56:03,087[Th 3 Req 4517 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ArubaController_UserAuthentication"
    2012-11-19 14:56:03,087[Th 3 Req 4517 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Bypassing Policy Evaluation.
    2012-11-19 14:56:03,087[Th 3 Req 4517 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0x72a50b9dae28411caed73db57b45328abb0b0000000000005230303030303332632d30312d35306161336137310000000000000000000000


  • 14.  RE: Implementation question - blocking end-point vendors

    Posted Nov 21, 2012 09:07 AM
    @shpapy wrote:
    3.(Connection:Client-Mac-Vendor EQUALS Murata Manufacturing Co., Ltd.)[Deny Access Profile]
    4.(Connection:Client-Mac-Vendor EQUALS Apple, Inc.)

    [Deny Access Profile]

    I was looking at this option and noticed the huge ammount of different entries in general and then like 12 already for only Apple, i guess you would have to block them all  to be sure nothing slips through. And the issue remains you can't differentiate between a MacOS desktop, iPhone, iPad, i....

     

    it is a cute option, but i still guess profiler license is the best way to go.



  • 15.  RE: Implementation question - blocking end-point vendors

    Posted Nov 21, 2012 09:11 AM

    I agree but my management wanted to see if we could save money.

    So now I switched to profiler; huge difference :-)