Higher Education

Is there a way in clearpass to modify the device Catagory/OS Family/Name so ClearPass does not come up with a conflict again? Or worse yet ClearPass change the Device Catagory/OS Family/Name back to what it thinks the device is?

 

I thought CleartPass was a database, what it the point of modifying a device if the system is going to change it back!

If the same finerprint is used again, it will use the same profile entry.

 

The reason it changes is that a profile conflict is a very important part of a network policy to determine if a user has attempted to spoof a MAC address.

 

If I manually identify a device I do not want ClearPass changing the settings. I do not want CP telling me my Apply TV is an Aruba AP, nor do I want CP telling me an Apple watch is a smart iOS device.

So in short your telling me that CP will override any device ID I set?

Gary Naeger
Network & Systems Engineer
Planning, Research & Technology | Maryville University
650 Maryville University Drive, St. Louis MO 63141
(314) 529-9431
Gander Hall, Room 4A
gnaeger@maryville.edu

[New Logo and Tagline eps]

You are free to create any Endpoint attribute you need. I have some custom ones myself.

ClearPass is free to update any Profiling attribute it internally uses too.

 

tl;dr You need to create your own custom  attribute and perhaps open a TAC case on misidentifying fingerprints.

So i can apply a CP policy to a device based on an attribute? I will have to look into that a little more.

 

We track campus ATV's in JAMF (casper). Using CP and the mobility controller I have a policy/acl that if the device is identified as an ATV it has internet access only. Users on the guest network or secure network can use the ATV for presentation.

AppleTV was just an example.

That would not work for us since the majority of our Apple TVs, for instance are personally owned, usually by students.

We do not want them in our JAMF.

Bruce - I've never come across an iOS device profiled incorrectly. Please open a TAC case if you're seeing that.

So if someone were to grab the AppleTV's MAC address and use it on their laptop to bypass network registration/security, you wouldn't want to know that?

This is a core feature.

 

If something is incorrectly being reprofiled, you should open a TAC case.

I do not want Apple TVs identified as Aruba APs.

I currently do not trust profiling information but it is not currently using DHCP information here.

Then a TAC case should be opened. That is not correct.

 

There's a difference between conflict detection and incorrect profiling.

Ease of access it more important. I have firewalled my datacenter. If they look like an ATV the only place they can go is the Internet. Then any "Guest" or anyone on the secure wlan can access their device using airplay.