Security

Scenario

A Company Laptop crashed and has to be reimaged by PXE

The Laptop is already known to clearpass as device type Computer

When device is connected to port for reimaging , clearpass will detect it as PXE device but in version 6.8 we can disable conflict attribute for Network Boot agents

Now the requirement is that once the device is recognized as PXE boot and pass the MAC auth rule , we will return a PXE VLAN but we want to retain the mac address of

device type PXE boot only for 24 hours and we want that because during OS installation endpoint has to remain in the same VLAN , because once OS in installed , clearpass

will again detect it as device type COmputer and for device type Computer hitting the MAC rule , we want to return a Guest vlan

so the requirement is that clearpass retain the mac address of pxe device and inspite of multiple reboots during OS installation should retain the same pxe vlan for the

endpoint and automatically flush the mac address after 24 hours

and after 24 hours device will hit EAP TLS rule

Not sure if you use profiling for the EAP-TLS rule since you can key off of cert information, but the only way I know to force the fingerprint to stay the same is to manually change it. Then it will not be changed by CPPM automatically. If you don't need to leverage the fingerprint after PXE config, you can just look at the device as PXE and EAP-TLS you know it's a PXE imaged PC. Make sense? I don't know that it is what you want, but may work for what your looking to do. Otherwise, you'd have to manually modify it for PXE and then when it's done, for Computer.

Not sure there is any other way to keep it from dynamically changing fingerprint based on discovery methods.