Security

Is CPPM capable of profiling devices authenticating to it without performing any CoA Action?  If I enable Profiler in a service, I have to select an Endpoint Classification and CoA Action.  Policy Manager is adding endpoints to the repository, but it isn't profiling them in any way.  If I just want some basic profiling to take place, such as type of device, host name, OS, etc to be gathered.  what do I need to configure?

 

Edit:

 

After reading the UG again, it seems as though CPPM should at least be classying these devices based off the MAC that it's receiving in the 802.1X request.  That's not working, though.  I'm going to setup some ip helpers to forward DHCP traffic to CPPM and see if that helps any.

What classification collector are you looking to enable?    There is DHCP, ClearPass Onboard, HTTP User-Agent, MAC OUI, ActiveSync, OnGuard, SNMP, and Subnet Scanner.    The support site has a TechNote that may help you (it is for version 5.x, but I think the same principals apply):   http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=8389

 

 

 

 

Thanks for the doc, Clembo.

 

I'll setup the DHCP relay and see what happens.

I've setup DHCP relays on my wired and wireless client subnets.  Also, I created Zones for my PM servers and setup subnet scans for each PM zone.  The subnet scans are scanning printer and VoIP ranges. The DHCP relay and subnet scans have been setup for several days.

 

So far, PM has only discovered 45 endpoints.  There should be at least a couple hundered devices found via subnet scans.  There should be several hundered devices discovered via DHCP as well.  I've double checked my helper addresses, subnet scans, and PM zones and they're all setup correctly.  The subnet scan interval is 24 hours.

 

My PM cluster isn't in production per say; I only have 3 devices that are authenticating via PM as my initial test.  I mention that because I thought maybe PM will only profile devices that are authenticating via PM, but that can't be true since I see 45 devices profiled that are not yet using PM for authentication.

 

Any thoughts?

What kind of layer3 switches/routers do you have in your environment?

 

Cisco 6500s.

Can devices ping cppm from their subnet? 

Yes.

Under Administration> Server Manager>Server Configuration>Services control, please make sure that Async Network Services is Running.

 

If it is running, go to Administration> Server Manager>  Log Configuration> Service Log Configuration.  Change the service to Async Network Services.  Change the log level to debug and save.  Wait for a few and then send the logs to TAC.

 

EDIT:  Last but not least, ensure that under Administration> Server Manager> Server Configuration> System.  Make sure that "Enable to allow this server to perform endpoint classification" is checked.

 

 

 

Will do, thanks.

Is there anyway to schedule the subnet scan or force it to run?

No.  In the cluster-wide parameters, you can configure "Profile subnet scan interval" which will say at what intervals it will scan.

 

Quite frankly, you would get much, much more data from adding a DHCP helper-address to the same layer3 interface that your existing helper address is on.

I have subnet scanning enabled for printer and VoIP vlans only. While I do have dhcp relay enabled for the VoIP phones, I believe subnet scanning is the only option I have for identifying the printers since their IPs are static.

How do I export the ClearPass logs?

 

-----  EDIT ---------

 

You can export logs via:

 

Administration > Server Manager > Server Configuration:

Click on the radio button beside the server name then click the Collect Logs button.

Profiling is working in CP now.  Our issue was fixed by deleting an invalid certificate in the Certificate Trust List and restarting the services:

 

1. Administration > Certificates > Trust List
2. Set Filter: Enabled equals Enabled
3. Delete certificate(s) that are showing invalid.
4. Login to the CP server via CLI.
5. Login as app admin.
6. Type: service restart all

I need to retract my previous "solution" as we found out that deleting the invalid certificate was not the actual fix.  About a week after I posted the solution, profiling stopped working.  I assumed we were hitting a bug but CP was actually working as designed.  Weird, eh?  I'll keep it short, but here is ultimately what I learned:

 

In a CP cluster, when all CP servers have profiling enabled, only one of the servers can be the master profiler just like you can only have one publisher.  The master profiler is selected via election, and the server with the lowest UUID wins. Although all CP servers may have profiling enabled, only the master profiler can profile devices.  Having an election for the master profiler provides a level of redundancy should something happen to the CP server acting as master profiler.

 

For non-profiling redundancy, enable profiling on only one CP server and point all DHCPs relays to that CP server.

 

For profiling redundancy, enable profiling on X amount of CP servers, and setup DHCP relays to those CP servers.

 

This is what the CP engineers suggested to me after having profiling dificulties for about a month.  I was surprised to find out that of all the people I talked to, no one (colleagues, SEs, TAC) was aware that this is how profiling works in a cluster.  I couldn't find any mention of this in the CP documentation, so I requested that it be added.  Hopefully, it's added so that others don't have the same issue and bang their heads against the wall like I did for a month.

@thecompnerd

 

Thanks for posting this information!

We are close to putting our two CPPMs into a cluster and have found it hard to find information on clustering.

 

This will go into my bookmarks incase we run into issues down the road!

 

Cheers

Is there a way to view which server has been elected as the master profiler? Right now, I have my dhcp relay configured to go to my publisher, but all servers are configured to profile endpoints. Is the election process dynamic? Right now, most things are being profiled correctly, but I have clients (on the same network, on the same controller) not being profiled. I've opened a case already, but if you have insights on this, I'd appreciate it.

 

Thanks!