Security

Reply
MVP Expert

Is there an updated ClearPass Profiling TechNote V1.2 document

Been looking at how to create custom fingerprints.

My initial one was to generate a "UoY Amazon Echo" fingerprint as the supplied one didn't have the MAC OUI of the Echo e bought.

 

What I did was create the following and uploaded it to the MP. 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">

<TipsHeader exportTime="Tue Jul 24 12:38:04 BST 2018" version="6.7"/>

 

<!—

Date: 27/07/18

Name: Amazon-echo-fingerprint.xml

Function; Create a locally defined fingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo”. Take the standard ClarPass definition and add the OUI of the device on my desk to the list of known ones.

—>

 

   <DeviceFingerprints>

    <DeviceFingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo">

      <FingerprintRules>

        <FingerprintRule match-conditions="ALL">

          <RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>

<RuleCondition name="device.family" operator="contains" value="Android"/>

<!-- OUI prefixes for the default ClearPass Amazon Echo fingerprint and addition of the one on my desk -->

          <RuleCondition name="mac" operator="contains" >

<valueList>[34d270 40b4cd fca667 4cefc0 8871e5]</valueList>

          </RuleCondition>

 

<RuleCondition name="dhcp.option60" operator="contains" >

<valueList>["dhcpcd-5.5.6"]</valueList>

          </RuleCondition>

<RuleCondition name="dhcp.option55" operator="contains" >

<valueList>["1,33,3,6,15,28,51,58,59"]</valueList>

          </RuleCondition>

<RuleCondition name="dhcp.options" operator="contains" >

<valueList>["53,50,57,60,12,55"]</valueList>

          </RuleCondition>

        </FingerprintRule>

      </FingerprintRules>

    </DeviceFingerprint>

  </DeviceFingerprints>

</TipsContents>

 

In the ClearPass profilling doc the example to add a rule is

 

RULES API:

1. API to ADD Rules:

Given an unknown endpoint, this API will automatically create rules by ANDing rule attributes from endpoint mac_vendor, hostname and fingerprints (ex:

"dhcp.option60", "snmp.sys_descr", "host.user_agent", "host.os_type", "nmap.device",

100000.

). Rules created using API will have ids starting from

Method: POST
URL: /async_netd/deviceprofiler/rules Values:
{

mac:

rule_fields: [..] }

Where rule_fields = mac_vendor, hostname, dhcp.option55, dhcp.options, dhcp.option60, snmp.sys_descr, host.user_agent etc...

Example:
CMD:
curl -X POST -u apiadmin:password https://<CPPM IP>/async_netd/deviceprofiler/rules –H "Content-Type: application/json" -k -d

'{"mac" : "6cadf8112341",
"rule_fields": ["mac_vendor", "dhcp.option55"] }'

Output: 100000 [New rule ID]

 

What JSON format do I have to use to implement the 

 

<RuleCondition name="mac" operator="contains" >

<valueList>[34d270 40b4cd fca667 4cefc0 8871e5]</valueList>

          </RuleCondition>

In my import XML file?

 

Rgds

Alex

 

 

MVP Expert

Re: Is there an updated ClearPass Profiling TechNote V1.2 document

Also, the doc refers to https://<clearpass server>/async_netd/..... bit in the API explorer on CPPM 6.7.5 there isn't an api section for async_netd

 

A

 

 

MVP Expert

Re: Is there an updated ClearPass Profiling TechNote V1.2 document

The problem wit my XML file is that there's currently a bug in clearpass

 

My XML file specifies strings of DHCP options. Unfortunately if you importit it takes all the members of the string and treats them as individual elements. This threfor can apply your new fingerprint to all sorts of devices ... not a good idea. Might ber fixed in 6.7.8

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: