Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to Profile using MAC OUI

This thread has been viewed 20 times

  • 1.  How to Profile using MAC OUI

    Posted Feb 11, 2015 10:13 PM

    Can anyone direct me on how to setup a service that will profile a device based on MAC OUI? 

     

    Thanks,



  • 2.  RE: How to Profile using MAC OUI

    EMPLOYEE
    Posted Feb 11, 2015 10:16 PM

    You can map OUI prefixes to ClearPass roles by using a role map. Example below:

     

    role-map-oui.PNG



  • 3.  RE: How to Profile using MAC OUI

    Posted Feb 11, 2015 10:39 PM

    Screen Shot 2015-02-11 at 10.39.28 PM.pngThanks Tim, is there a way to have the device profiled into the Identity Endpoints database with MAC OUI?



  • 4.  RE: How to Profile using MAC OUI

    EMPLOYEE
    Posted Feb 11, 2015 10:44 PM
    You mean use the MAC OUI to populate the profile information? No there is
    not. Complete profile information cannot be derived from just the MAC OUI
    and the profile information. The category, OS and device name can only be
    populated from automagic fingerprinting (DHCP fingerprints, subnet scans,
    Onboard, ActiveSync, etc) or by manually updating the attributes in the
    database. You cannot currently update these values using a post-auth update.



    You could however, create a custom attribute that you could update using a
    Post-Auth endpoint update after successful authentication.


  • 5.  RE: How to Profile using MAC OUI

    Posted Feb 11, 2015 10:55 PM

    Tim,

     

    That is good to know that the MAC OUI alone cannot populate the profile info.  I have a bunch of static IP device PLCs (Programmable Logic Controller) by a common vendor that need to be profiled immediately when the device connects to the network. I can't wait for an SNMP Poling cycle (6 hr) for CPPM to profile the device.  After profiling the device and assigning it Role of PLC, I want to use MAC AUTH Service to assign appropriate network access (like, VLAN, dACL, etc...).  How could this be accomplished?

     

    Thanks for your help.



  • 6.  RE: How to Profile using MAC OUI

    EMPLOYEE
    Posted Feb 11, 2015 11:02 PM

    - Create a ClearPass TIPS role: DEVICE_PLC

     (Configuration > Identity > Roles > Add)

     

    - In your MAC-auth service, add the following rule to the role map:

    mac-prefix.PNG

     

    - Then add a rule to your enforcement policy like belowreplacing the enforcement profile(s) with the appropriate action.

    plc-enforcement.PNG

     

     



  • 7.  RE: How to Profile using MAC OUI

    Posted Feb 12, 2015 07:52 AM

    Tim,

     

    That worked.  Thanks for the TIP!



  • 8.  RE: How to Profile using MAC OUI
    Best Answer

    EMPLOYEE
    Posted Feb 12, 2015 07:57 AM
    I see what you did there! 

    Glad it worked. 


    Thanks, 
    Tim


  • 9.  RE: How to Profile using MAC OUI

    Posted May 23, 2023 11:49 AM

    Hello, I am also in the process of configuring DUR's based on OUI to auto configure different VLANs for printers, security cameras and BACNET devices. I attempted to build this using difference services for each of the categories though I cannot trigger service based on the device category or any other differentiating tag that I gave found. I s it better to just lump them all in to the same service, or is there a way to manually configure service triggers such as "Device Category"? 


    Original Message