Wireless Access

Hi there,

Problem : Can IF-MAP collecter in Mobility Controller send Endpoint data to clearpass before endpoint hitting authentication service?

I am working on solution to prevent MAC spoofing for MAC only authentication service in clearpass 6.7. The problem with traditional Endpoint profile collecters like DHCP Fingerprinting, AP will collect Endpoint data after authentication which is useless in case of MAC Spoofing prevention. I have found that IFMAP in controller can pass endpoint data before authentication so that I can identify Endpoint profiler conflict and block them. Is it possible??

 Thanks!

The IF-MAP collector in the controller can only identify the device based on the user-agent when the device browses or communicates over port 80.  So that means the device would have had to be connected to the network and opened a browser or communicated with an application over port 80 first before it can be identified.  You can see what has been identified already on an MD (controller) by typing "show aaa device-id-cache"

Thanks cjosph,

Is there any workaround for this problem? Our Printers will support only mac authentication.

There is no workaround.  IF-MAP is specifically for devices that can be identified when they communicate on port 80; typically with a web browser.

IF-MAP should always be configured. The printer may be communicating on port 80 to a software update server (for example).