Security

Hi there,

I enabled SPAN to listen for DHCP and User-Agent Data, and then set up my switches to mirror traffic to the Data port. Everything is working functional wise.

But the problem is that ClearPass is creating a Endpoint for each external (say, "on the internet") address, so now I have thousands of external public IPs on the database.

Is there a way to limit ClearPass to only process traffic on the SPAN that matches private IPs?

Thanks

Honestly, DHCP data for your client subnets should be plenty.  So just the secondary helper address pointing to ClearPass should be enough.

I guess you missed that I also want user-agent (and tcp fingerprint).

I was wondering what you were trying to do with that information, beyond the operating system.

Profiling.

You can profile with a helper address and you can provide more resolution by configuring IF-MAP on your Aruba Controller, if that is in play.

Aruba added the capability to profile User-Agent and TCP Fingerprint using SPAN. Why would they add that if it was not needed?

Say you do not have a Aruba switch, or you have devices with the same embedded linux but with different features? You need user-agent to properly classify them.

If it is not possible to tell ClearPass what IPs it should consider and what IPs it should ignore (basically, everything that is not part of my private network), then the feature is worthless.

Span was added to supplement other profiling methods to give users options to obtain profiling information.  It is by no means the only way to obtain http user agent information; there are other methods:  https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/653/1/ClearPass%20Profiling%20TechNote.pdf  Span is certainly not a worthless feature.

If you think features should be added to the Span functionality, please register that request here:  https://innovate.arubanetworks.com/portal_session/new

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.7.0/Default.htm#WhatsNew/NewFeatures_ProfilerNWDiscovery.htm

"SPAN ports are now enabled to capture HTTP User Agent traffic. (#38568)"

Then why add this if it is a "worthless feature"?

I'm quite curious how would you get HTTP user agent or TCP fingerprint from non-aruba switches, without SPAN.

I provided a link to the profile document above that shows other methods to obtain the user agent information.

None will work for a Catalyst (Pre 9x00) switch.

Well... except SPAN.

Just out of curiosity, why do you want user agent? More and more traffic is encrypted these days making the UA harder to grab. Also, anyone can spoof a UA in 3 clicks.

Also, if you're using Cisco switches, the Device Sensor feature can be configured to pass User Agent.