Security

In CPPM guest / extensions there is an install extension option .... it even allows you to search for an extension to install .... how can you wild card the search so you get a list of available extensions ?

* returns nothing

A

As far as I know, there is no reverse search for extensions from ClearPass. What probably comes closest is to check the Technotes folder on the support website. Extensions need documentation, and that is a Technote.

If you are looking for a specific integration, it is best to contact your partner or local Aruba SE to find out if that might be on the roadmap.

Also, keep an eye on the ClearPass Quarterly Integration Update Newsletter to be notified on new integrations.

o.k. lots of interestig stuff in there so have downloaded docs for some light reading. However, main grumble is I can't find any docn about creating customised fingerprints and how to use them . Had some info from a support call so getting there, but all the API docn I've seen doesn't cover fingerprints

Not on the API, but on using the normal UI to create custom fingerprints you can check out this video.

Yup good video, however I'm always "twitchy" about using a fingerprint  that might overwrite lots of devices because the dhcp.options.... are common. 

My initial custom fingerprint was for an amazon Echo device that had a new mac OUI that wasn't in the Aruba clearpass version. What I wanted to do was create a fingerprint that let me specify a new version of the Aruba one.

What I started with was 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">

<TipsHeader exportTime="Tue Jul 24 12:38:04 BST 2018" version="6.7"/>

<!—

Date: 27/07/18

Name: Amazon-echo-fingerprint.xml

Function; Create a locally defined fingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo”. Take the standard ClarPass definition and add the OUI of the device on my desk to the list of known ones.

—>

   <DeviceFingerprints>

    <DeviceFingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo">

      <FingerprintRules>

        <FingerprintRule match-conditions="ALL">

          <RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>

<RuleCondition name="device.family" operator="contains" value="Android"/>

<!-- OUI prefixes for the default ClearPass Amazon Echo fingerprint and addition of the one on my desk -->

          <RuleCondition name="mac" operator="contains" >

<valueList>[34d270 40b4cd fca667 4cefc0 8871e5]</valueList>

          </RuleCondition>

<RuleCondition name="dhcp.option60" operator="contains" >

<valueList>["dhcpcd-5.5.6"]</valueList>

          </RuleCondition>

<RuleCondition name="dhcp.option55" operator="contains" >

<valueList>["1,33,3,6,15,28,51,58,59"]</valueList>

          </RuleCondition>

<RuleCondition name="dhcp.options" operator="contains" >

<valueList>["53,50,57,60,12,55"]</valueList>

          </RuleCondition>

        </FingerprintRule>

      </FingerprintRules>

    </DeviceFingerprint>

  </DeviceFingerprints>

</TipsContents>

You can then do what you did in the video and select the options available in the xml file.

Problem with the video version is that you can't specify mac OUI values or uer agent strings  that contain something as opposed to being an exact match

Also my import might have broken something ( 6.7.6  got a TAC call open) as I can't delete custom fingerprints or export them and profiling seems to have stopped on my dev server ... so more info required. 

Trying it on a 6.7.5 server resuted in the master publisher updating what looked like all endpoint entries to be the custom fingerprint.

A

If you have a TAC case open already, please also ask them to get the new MAC prefix added to the fingerprint database. You can ask your Aruba ClearPass SE to initiate such an update as well. Having it added to the database helps others as well.