Security

Reply
Highlighted
Occasional Contributor II

Query Endpoint Repository for VPN device

How do I query the endpoint repository for a device that presents no host mac address?

 

In my case, Cisco Anyconnect doesn't present this, only a Cisco AVPair of mdm-tlv=device-mac=XX-XX-XX-XX-XX-XX

 

I want to be able to query its Endpoint EMM attributes (ie. MDM Enabled).

Highlighted
Moderator

Re: Query Endpoint Repository for VPN device

Try this (assuming you're on 6.8.0+):

 

1. Go to Administration > Server Manager > Server Configuration and select the ClearPass server.
2. On the Service Parameters tab, in the Select Service drop-down list select RADIUS server.
3. Scroll down to the Main parameters and select yes for the Parse Cisco-AVPair to get device mac option, and then click Save.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Query Endpoint Repository for VPN device

Ah thanks Tim. Currently on 6.7.12 - holding back on the 6.8 upgrade to the new year.

Highlighted
Frequent Contributor I

Re: Query Endpoint Repository for VPN device

Tim, this is great!  However it overwrites the insightdb radius_acct.calling_station_id with the mac address of the client.  Now it seems I don't have access to the originating IP address of the VPN client unless this is getting written into the endpoints table now?

 

Update: I looked through the radius_acct, auth, endpoints and I can no longer find the origniating IP address of the client.  I guess I'll disable this for now as the originating IP is more important than the MAC for now. 

 

Tim, Can we find a way to get both the MAC and the originating IP?

 

Thanks!

Highlighted
Occasional Contributor I

Re: Query Endpoint Repository for VPN device

Trying to leverage this feature.  I enabled the option under RADIUS server parameters to parse the Cisco-ACPair for the client's MAC address.  Looking at an authentication request from the ASA in my lab (ASA5505), the authentication request includes the Cisco-AVPair mdm-tlv=device-mac, but not device-public-mac.

 

I see this log in the ClearPass logs.

INFO RadiusServer.Radius - rlm_service: device-public-mac= value not present in any of Cisco-AVPairs

 

So it looks like ClearPass is parsing for device-public-mac, not device-mac.  Is there a specific version I need for this to work.

 

Running ClearPass 6.9.2

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: