Security

Reply
Highlighted
Frequent Contributor I

Re: Implementation question - blocking end-point vendors

2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 3cd0f8005930
2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
2012-11-19 14:56:03,069[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 r=auto-1737 h=48 r=R0000032c-01-50aa3a71] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 h=12325 c=R0000032c-01-50aa3a71] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2012-11-19 14:56:03,070[RequestHandler-1-0x4431b940 h=12326 c=R0000032c-01-50aa3a71] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2012-11-19 14:56:03,072[RequestHandler-1-0x4431b940 r=R0000032c-01-50aa3a71 h=12327 c=R0000032c-01-50aa3a71] INFO Core.PETaskRoleMapping - Roles: Allow_Access, User Authenticated]
2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12330 c=R0000032c-01-50aa3a71] INFO Core.PETaskEnforcement - EnfProfiles: PEAP_Active_Directory_Auth
2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12331 c=R0000032c-01-50aa3a71] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12331 c=R0000032c-01-50aa3a71] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: PEAP_Active_Directory_Auth
2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12331 c=R0000032c-01-50aa3a71] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2012-11-19 14:56:03,073[RequestHandler-1-0x4431b940 h=12334 c=R0000032c-01-50aa3a71] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2012-11-19 14:56:03,076[RequestHandler-1-0x4431b940 r=R0000032c-01-50aa3a71 h=12332 c=R0000032c-01-50aa3a71] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2012-11-19 14:56:03,078[RequestHandler-1-0x4431b940 h=12336 c=R0000032c-01-50aa3a71] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2012-11-19 14:56:03,078[RequestHandler-1-0x4431b940 h=12336 c=R0000032c-01-50aa3a71] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2012-11-19 14:56:03,078[RequestHandler-1-0x4431b940 h=12335 c=R0000032c-01-50aa3a71] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2012-11-19 14:56:03,079[Th 2 Req 4516 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2012-11-19 14:56:03,079[Th 2 Req 4516 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2012-11-19 14:56:03,079[RequestHandler-1-0x4431b940 r=R0000032c-01-50aa3a71 h=12325 c=R0000032c-01-50aa3a71] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
2012-11-19 14:56:03,087[Th 3 Req 4517 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ArubaController_UserAuthentication"
2012-11-19 14:56:03,087[Th 3 Req 4517 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Bypassing Policy Evaluation.
2012-11-19 14:56:03,087[Th 3 Req 4517 SessId R0000032c-01-50aa3a71] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0x72a50b9dae28411caed73db57b45328abb0b0000000000005230303030303332632d30312d35306161336137310000000000000000000000
Guru Elite

Re: Implementation question - blocking end-point vendors


@shpapy wrote:

can you elaboratre on "To get more information, you need to put an additional helper address on your wireless subnet to point to CPPM to collect that additional information and insert it into the Endpoints repository"

what are the steps? is there a manual for this?

 


What version of ClearPass Policy Manager?

 

Please download the User Guide from http://support.arubanetworks.com.  Do a search for "Endpoint Profiler" and it will give you details about how you can get the profiler to populate information into the endpoints database.

 

The helper address is a command that is commonly used on a layer 3 interface of a router to send DHCP requests to a central DHCP server.  Putting a second helper address on a layer 3 interface and pointing it to the ip address of CPPM allows CPPM to obtain DHCP fingerprint information which will further populate the Endpoints database.   That will give you more information to check about your devices.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Frequent Contributor I

Re: Implementation question - blocking end-point vendors

so without adding the ip-helper the product cannot even identify smartphones at all...

o.k guess i need to go over the switches

Highlighted
Trusted Contributor I

Re: Implementation question - blocking end-point vendors


@shpapy wrote:
3.(Connection:Client-Mac-Vendor EQUALS Murata Manufacturing Co., Ltd.)[Deny Access Profile]
4.(Connection:Client-Mac-Vendor EQUALS Apple, Inc.)

[Deny Access Profile]


I was looking at this option and noticed the huge ammount of different entries in general and then like 12 already for only Apple, i guess you would have to block them all  to be sure nothing slips through. And the issue remains you can't differentiate between a MacOS desktop, iPhone, iPad, i....

 

it is a cute option, but i still guess profiler license is the best way to go.

Highlighted
Frequent Contributor I

Re: Implementation question - blocking end-point vendors

I agree but my management wanted to see if we could save money.

So now I switched to profiler; huge difference :-)

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: