Security

Hello,

We have around 80 percent of end points connecting via dhcp and we are using dhcp helper addresses and dhcp profiling . And it works well.

However for devices with static IP address , what should we use - snmp or http? We have almost 95 comware 7 switch environment.

Can someone guide and suggest most effective method for devices with static IP ?

Can't clearpass profile on the basis of it's dictionary database based in the Mac address of endpoint? This I am talking specifically of static IP devices.

Hello,

 

We have used subnet-scanning to profile static IP addresses with SNMP. CPPM uses SNMP port 161 to profile the devices. You can set specific subnets/or hosts to scan, you would set to scan the subnets that all the static IP addresses are in. Also, you set a read-only SNMP string as well so they can be profiled. The scan only runs at set intervals, the default is every 24hrs but this can be changed.

You could also do a discovery via an ARP-Table read. This is where you set CPPM to read the ARP table of L3 devices (such as a router or MC) in your network to discover devices to profile. Again this uses SNMP read-only.

The CPPM profiling technote is a little old but still a good source of information for this (Link - https://community.arubanetworks.com/t5/Security/UPDATED-ClearPass-Profiling-TechNote-V1-2/td-p/243541).

 

Can't comment on the http deployment as I have never implemented it.

 

Hope that helps,

 

J

Thanks a lot.

I will give a try to subnet scan .

I have one doubt here. What is the endpoint does not have snmp configured? In that case subnet scan which uses snmp fails as endpoint won't respond to snmp query.

Also can't I use public snmp string ?


For arp read, we need to define the snmp string when we add the switch ?? What port number is used by arp read ?

If the device does not respond to the snmp probe CPPM won't be able to update its endpoint. You can use "public" as the community string, it is the default value CPPM will use.

 

ARP-Read uses SNMP again. CPPM reads the ARP table of L3 devices using an SNMP read-only account. It will read the ARP table and other information on the device such as CDP/LLDP.

 

There is a post by AnandKumar Sukumar that covers this really well:

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-configure-subnet-scan-to-profile-static-devices-and-how/ta-p/214829

 

J

Ok , can we skip subnet scan ( network resources and bandwidth consuming) And simply use Arp read with public string only ?

This way cppm will query NAS device on snmp port and read the arp table and do profiling.

We want to avoid any scan to each endpoint in the subnet .

Let me know your feedback

ClearPass would do an ARP-Read on the NAS device, then it would try and profile all the entries from the ARP-Read using an SNMP Probe. CPPM would probe any endpoint in the ARP table of the NAS device, so it would still probe all the DHCP devices as well as the static.

 

J

 

Thanks

Need a clarity.

So when we add a layer 2 switch under network devices in cppm , do we need to snmp string as well?

Is it is only when we add l3 switch on cppm , and we select arp read and force arp read and there's is no need to add snmp on l2 switch on cppm ?


This way cppm will.only check arp read from L3 switch and not on l2 switch ( because this way cppm intimate connection of snmp read only towards l3 )


Also what if endpoint does not respond to snmp ?

How do we profile those end points? Practically it is not possible to enable or configure snmp on each endpoint

Hello cppmadmin, did you solve this problem?

"How do we profile those end points? Practically it is not possible to enable or configure snmp on each endpoint"

 

I have MAB for printers, I'm trying to avoid mac spofing, but as the attacker set the same mac and fixed IP address, cppm doesn't update the profiling info and the attacker get access to the network.

If you configure ClearPass to pull the ARP table from the switch using SNMP you will be able to profile device with static IPs, see below :
https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/Content/CPPM_UserGuide/Network%20Devices/AddingaDevice.htm


Sent from Mail for Windows 10

Well that's not accurate.

On-demand Static endpoint profiling require cppm to receive radius accounting with framed-ip address.

This can be done with Cisco and aruba switches that support ip device tracking.

Once the ip is updated for that radius session you can use Session notify enforcement to trigger the API to scan the endpoint with nmap \ SSH \ snmp methods.

 

 

Let me see...

I configure the SNMP to pull the arp table.

Clearpass gets notification about a new device

Clearpass try to profile using SNMP, doesn't work because it's a Windows PC

Clearpass try to porfile using WMI, but as this isn't a corporate computer, the credential doesn't work.

 

Is this correct? Only nmap checking the ports will work to profile the device?

Yes,

If passive fingerprinting fails then NMAP \ WMI is the way to go.