If the CrowdStrike integration isn't allowing reporting of both MAC addresses (or some method of identifying the device uniquely using something other than MAC address) then you'll probably need to either look at a quarantine workflow that allows temporary and restricted access while getting a valid profile of the device, implementation of OnGuard which allows for querying of the client device posture rather than a central console, or both.
Original Message:
Sent: Jun 02, 2024 09:21 PM
From: lwat
Subject: Clearpass rejecting a desktop computer because it is not getting Crowdstrike inputs
This morning I marked the client hidden inside the Crowdstrike Admin portal. I connected to a network port (no Clearpass) configured and uninstalled and reinstalled Crowdstrike.
Inside the Crowdstrike Admin portal the MAC Address was correct (my wired NIC). As soon as I applied Clearpass configuration to the switch port the client was rejected and we are still not getting the Crowdstrike inputs for this client.
I logged back onto the Crowdstrike Admin portal and the MAC Address is now displaying for the Wireless NIC. I believe it just displays the MAC Address that last connects to the Crowdstrike Admin portal.
I have asked Crowdstrike how to check the MAC Address in the Endpoint Database. Would anyone here know how to do that?
Also how can I troubleshoot this further? How can I confirm why Clearpass is not getting the Crowdstrike inputs? Are there some logs I can look at that would show it is a MAC Address lookup error?
Original Message:
Sent: May 31, 2024 09:16 PM
From: lwat
Subject: Clearpass rejecting a desktop computer because it is not getting Crowdstrike inputs
Hi Chulcher and Herman,
Thank you both so much for your response.
I believe the problem was caused because the Crowdstrike sensor was installed when the Wireless network was connected.
So the endpoint is tied to the MAC Address for the Wireless NIC inside the Crowdstrike Database.
We need the endpoint to be associated to the MAC Address for the Wired NIC.
The problem is I don't know how to do this because Clearpass is blocking the Wired connection
because it thinks Crowdstrike is not installed.
I can uninstall and reinstall the Crowdstrike sensor but the problem is we cannot register the host with
the Crowdstike Database using the wired MAC Address because we cannot get onto the Wired network.
How can I get Crowdstrike installed and using the MAC for the wired NIC if I cant get on the Wired network because of the Clearpass
reject rule?
This is only affecting 1 client.
Original Message:
Sent: May 31, 2024 12:27 PM
From: Herman Robers
Subject: Clearpass rejecting a desktop computer because it is not getting Crowdstrike inputs
Also make sure that the MAC address that the client uses, is also the one that has been synced to the endpoint database. Some clients these days use randomized MAC addresses, which breaks the lookup by MAC address, unless you include MAC (or other device identifier) information in your certificate.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 31, 2024 10:00 AM
From: chulcher
Subject: Clearpass rejecting a desktop computer because it is not getting Crowdstrike inputs
Yes, the information from CrowdStrike is stored in the Endpoint DB which means the device MAC address must match the endpoint entry.
Make sure that the latest version of the extension is installed and that the CrowdStrike attributes are present for the endpoint in question.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00100307en_us
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 31, 2024 07:39 AM
From: lwat
Subject: Clearpass rejecting a desktop computer because it is not getting Crowdstrike inputs
Hello,
I am fairly new to Aruba networking and Clearpass. I have logged tickets with both Aruba and Crowdstrike but unfortunately not getting much progressing and looking for some additional help.
We have a desktop computer that cannot connect to our wired network because it is being rejected by Clearpass. It is being rejected because Clearpass is not getting the Crowdstrike Antivirus software inputs for this particular computer. There is only one computer affected by this.
Aruba Support advised me Clearpass queries the Crowdstrike Admin Server to check if the host has Crowdstrike installed.
I confirmed Crowdstrike is installed on the client computer and we can see the computer in the Crowdstrike Admin Console under Hosts. The computer shows the MAC Address of the Wireless NIC not the Wired NIC. My understanding is in the Crowdstrike Admin Console displays the IP Address and MAC Address of how the computer last connected to the Crowdstrike Admin server.
Is Clearpass querying the Crowdstrike Admin Server for hosts based on MAC Address and because it is not finding a match rejecting the computer?
Clearpass is not even getting the Crowdstrike inputs and rejecting the computer from establishing a wired connection. I cant get the desktop computer onto the wired network at all.
Has anyone encountered this before and know what steps to take to fix this?