Security

Reply
Frequent Contributor II

Re: PXE boot and hardwired access

How would I know if something in the endpoint database belongs to the company or not?  It has to be by MAC address in some manner.  I would have to do a manual dump of devices into CPPM?  Currently I'm not seeing devices being dumped into the endpoint repository.  We currently use AD to ID devices or our MDM for policy decisions.  The issue is we cannot use AD through 'normal' channels because a PXE boot computer won't have access to AD yet.  I know you can add attributes to endpoints but that brings up several new issues: how do I get all of our AD devices into the endpoint db, how does it stay up to date, how do I get the attribute into the endpoints which need it, etc.?

 

At this point, I'm trying to find someone who knows MSSQL and CPPM.  Running into issues with queries which should work but keep getting errors.

Frequent Contributor II

Re: PXE boot and hardwired access

Machine authenticated should show up in your roles if you have use cached roles enabled. In your dot1x service place a rule near the top of the enforcement that says if endpoint=unknown and tips role equals machine authenticated then mark endpoint as known and send a COA to terminate the session. You can update other attributes here also. You can use insight to allow only computers on for just a few days after they have machine authenticated
Highlighted
Frequent Contributor II

Re: PXE boot and hardwired access

First: thanks to all who have replied.  It is really helping me get this figured out.

 

Second: What about this logic -

 

When a device is seen on CPPM and it is [Machine Authenticated] by AD as a machine, I am doing a post-auth enforcement where I update the endpoint as known (just to be sure) and I put an attribute where owner = MYCOMPANY.

 

In my Role evaluation, I have a rule- Endpoint: Owner EQUALS MYCOMPANY  -->  Role = PXE boot

 

THEN

 

In enforcement, I have a rule- Tips: Role EQUALS PXE boot  -->  allow access

 

This allows it on the network so it can be re-imaged!!

 

Seems to be working thus far.  Not sure about the efficiency of my configuration though.  Thoughts or suggestions?

Frequent Contributor II

Re: PXE boot and hardwired access

Yup; that sequence works. It really all depends on what information you want to see in clearpass. You just have to figure out what you want to get done. Let me know how you handle the computers the first arrive on your network. I'm looking for solutions.

Marking theses computers as known will help you when you run into computers that have been removed from domain. If you want to immediately block computers that have been deleted from domain then consider using the machine authenticated role.
Guru Elite

Re: PXE boot and hardwired access

Many manufacturers can now provide a CSV of the MAC addresses of the machines. You could build an excel sheet with concat functions to build the import file.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: