Security

Reply
Regular Contributor I

OnBoarding overwrites custom endpoint attributes

I currently have the enforcement policy looking for a custom attribute on the endpoint called "smart onboard." If that attribute = "yes" then the device will be redirected to OnBoard and the process works great. The customer doesn't want to onboard all smart devices at the moment. 

 

However, after the device is OnBoarded, the custom attributes are overwritten by the OnBoard data. Is there a way to make sure the custom attributes don't get overwritten?

Regards,

Josh
___________
ACMP, ACCP
Guru Elite

Re: OnBoarding overwrites custom endpoint attributes

Are the custom attributes named the same thing is the Onboard attributes, or are the custom attributes named something different, but are just deleted?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Regular Contributor I

Re: OnBoarding overwrites custom endpoint attributes

the attributes are not named the same thing and just get overwritten/deleted.

Regards,

Josh
___________
ACMP, ACCP
Guru Elite

Re: OnBoarding overwrites custom endpoint attributes

The ClearPass applications use the api to access policy manager which uses a destructive add. We experience this when a user connects to our dot1x network and then registers as a guest, all the custom attributes are blown away for the record.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: OnBoarding overwrites custom endpoint attributes

Any way to get around this? 

Regards,

Josh
___________
ACMP, ACCP

Re: OnBoarding overwrites custom endpoint attributes

OK.  Can you try to use context about these devices from another source and NOT rely on a custom attribute...or if you DO use it, have another way to distinguish a post-onboarded device.  For example the auth method = EAP-TLS or some identifier in the cert.

 

To move away from using a custom attribute, try leveraging the context of the user using AD memberof or using a static host list (MAC addresses) OR use device profiler information...

 

Just some initial thoughts...

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite

Re: OnBoarding overwrites custom endpoint attributes

 

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: OnBoarding overwrites custom endpoint attributes

Here is my feature request. Please promote it.

 

https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LEWs


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: OnBoarding overwrites custom endpoint attributes

Thanks Cappalli I promoted it. 

 

Ultimately yes, AD attributes such as group membership should be used. This however is somewhat of a POC so the need to pick and choose devices based on a custom attribute is needed. 

Regards,

Josh
___________
ACMP, ACCP
Guru Elite

Re: OnBoarding overwrites custom endpoint attributes


jclingan wrote:

Thanks Cappalli I promoted it. 

 

Ultimately yes, AD attributes such as group membership should be used. This however is somewhat of a POC so the need to pick and choose devices based on a custom attribute is needed. 


jclingan,

 

The Endpoint database is indexed primarily by the mac address.  Just create a static host list of all the mac addresses that you want to indicate has this attribute.  You can then compare the calling-station-id of the device to the static host list.  If you only have one attribute, just create a static host list with all the mac addresses that have that attribute and then compare.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: