Security

Issue:
Various devices are missing the "endpoint profile" section in ClearPass while other devices have the "endpoint profile"

After looking at the "show logs" for the endpoint in Aruba I found this error message
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Category, OS Family]
When a client connects to the wifi some of the devices (it seems to be random) "Fail to get Device Category/OS Family this causing issues with the way our services is setup, but I can not seem to figure out why this is happening. Any help would be GREATLY appreciated.

Environment:
1-primary Mobility Conductor and a Backup Mobility Conductor
12-Aruba controllers managed by the Mobility Conductor
The WLCs connect to a publisher Clearpass server and a Backup ClearPass server
DHCP is handled by an external Windows Server

My experience is that this is usually problem with device profiling. Maybe dhcp relay messages were not received by clearpass or device is using static IP address. Check endpoint database to see what fingerprints are for these devices.

It's a tricky problem to cope with. Many new android mobile devices are recognized as linux servers and not smart devices and I define new fingerprints rules to recognize it correctly. I also have setup Device Insight profiler but still need custom rules for many android devices to be recognized as smart devices. 

You can also schedule active profiling in Clearpass or Device Insight so it will scan devices and provide more accurate profile information.

Error you see just state that device has no required attributes defined in endpoint database yet.

Hope this helps, Gorazd

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Nov 08, 2022 11:24 AM
From: Justin Anderson
Subject: ClearPass-Missing Enpoint Profile In ClearPass

Issue:
Various devices are missing the "endpoint profile" section in ClearPass while other devices have the "endpoint profile"

After looking at the "show logs" for the endpoint in Aruba I found this error message
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Category, OS Family]
When a client connects to the wifi some of the devices (it seems to be random) "Fail to get Device Category/OS Family this causing issues with the way our services is setup, but I can not seem to figure out why this is happening. Any help would be GREATLY appreciated.

Environment:
1-primary Mobility Conductor and a Backup Mobility Conductor
12-Aruba controllers managed by the Mobility Conductor
The WLCs connect to a publisher Clearpass server and a Backup ClearPass server
DHCP is handled by an external Windows Server

whats your clearpass version?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Nov 10, 2022 02:24 AM
From: Gorazd Kikelj
Subject: ClearPass-Missing Enpoint Profile In ClearPass

My experience is that this is usually problem with device profiling. Maybe dhcp relay messages were not received by clearpass or device is using static IP address. Check endpoint database to see what fingerprints are for these devices.

It's a tricky problem to cope with. Many new android mobile devices are recognized as linux servers and not smart devices and I define new fingerprints rules to recognize it correctly. I also have setup Device Insight profiler but still need custom rules for many android devices to be recognized as smart devices.

You can also schedule active profiling in Clearpass or Device Insight so it will scan devices and provide more accurate profile information.

Error you see just state that device has no required attributes defined in endpoint database yet.

Hope this helps, Gorazd

------------------------------
Gorazd Kikelj

Original Message:
Sent: Nov 08, 2022 11:24 AM
From: Justin Anderson
Subject: ClearPass-Missing Enpoint Profile In ClearPass

Issue:
Various devices are missing the "endpoint profile" section in ClearPass while other devices have the "endpoint profile"

After looking at the "show logs" for the endpoint in Aruba I found this error message
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Category, OS Family]
When a client connects to the wifi some of the devices (it seems to be random) "Fail to get Device Category/OS Family this causing issues with the way our services is setup, but I can not seem to figure out why this is happening. Any help would be GREATLY appreciated.

Environment:
1-primary Mobility Conductor and a Backup Mobility Conductor
12-Aruba controllers managed by the Mobility Conductor
The WLCs connect to a publisher Clearpass server and a Backup ClearPass server
DHCP is handled by an external Windows Server

Hi Ariyap.

My CPPM version s currently 6.10.7. Vinshinkel what is your version?

Best, Gorazd

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Nov 10, 2022 06:26 AM
From: Ariya Parsamanesh
Subject: ClearPass-Missing Enpoint Profile In ClearPass

whats your clearpass version?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Nov 10, 2022 02:24 AM
From: Gorazd Kikelj
Subject: ClearPass-Missing Enpoint Profile In ClearPass

My experience is that this is usually problem with device profiling. Maybe dhcp relay messages were not received by clearpass or device is using static IP address. Check endpoint database to see what fingerprints are for these devices.

It's a tricky problem to cope with. Many new android mobile devices are recognized as linux servers and not smart devices and I define new fingerprints rules to recognize it correctly. I also have setup Device Insight profiler but still need custom rules for many android devices to be recognized as smart devices.

You can also schedule active profiling in Clearpass or Device Insight so it will scan devices and provide more accurate profile information.

Error you see just state that device has no required attributes defined in endpoint database yet.

Hope this helps, Gorazd

------------------------------
Gorazd Kikelj

Original Message:
Sent: Nov 08, 2022 11:24 AM
From: Justin Anderson
Subject: ClearPass-Missing Enpoint Profile In ClearPass

Issue:
Various devices are missing the "endpoint profile" section in ClearPass while other devices have the "endpoint profile"

After looking at the "show logs" for the endpoint in Aruba I found this error message
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Category, OS Family]
When a client connects to the wifi some of the devices (it seems to be random) "Fail to get Device Category/OS Family this causing issues with the way our services is setup, but I can not seem to figure out why this is happening. Any help would be GREATLY appreciated.

Environment:
1-primary Mobility Conductor and a Backup Mobility Conductor
12-Aruba controllers managed by the Mobility Conductor
The WLCs connect to a publisher Clearpass server and a Backup ClearPass server
DHCP is handled by an external Windows Server

Note that the first time a client connects, there is no profiling data by definition. As a best practice put clients that are not profiled into a role/VLAN that allows profiling (and it does not need to allow anything else). Then trigger a CoA once the profiling information has been received.

If you deny access, new clients will never be profiled.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 08, 2022 11:24 AM
From: Justin Anderson
Subject: ClearPass-Missing Enpoint Profile In ClearPass

Issue:
Various devices are missing the "endpoint profile" section in ClearPass while other devices have the "endpoint profile"

After looking at the "show logs" for the endpoint in Aruba I found this error message
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2022-11-03 10:47:12,237 [AuthReqThreadPool-21-0x7fe0713ec700 r=R000118f2-01-6363d470 h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Category, OS Family]
When a client connects to the wifi some of the devices (it seems to be random) "Fail to get Device Category/OS Family this causing issues with the way our services is setup, but I can not seem to figure out why this is happening. Any help would be GREATLY appreciated.

Environment:
1-primary Mobility Conductor and a Backup Mobility Conductor
12-Aruba controllers managed by the Mobility Conductor
The WLCs connect to a publisher Clearpass server and a Backup ClearPass server
DHCP is handled by an external Windows Server