TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE

Similar documents
Tech Note: ClearPass Profiling Version 1.1 October 2014

Tech Note: ClearPass Profiling Version 1.2 July 2015

Configuring Client Profiling

Network Function Property Algorithm. CounterACT Technical Note

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

Secure wired and wireless networks with smart access control

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Provide One Year Free Update!

ClearPass and MaaS360 Integration Guide. MaaS360. Integration Guide. ClearPass. ClearPass and MaaS360 - Integration Guide 1

Forescout. Configuration Guide. Version 8.1

Port Mirroring in CounterACT. CounterACT Technical Note

How to Discover Live Network

Pulse Policy Secure. Profiler. Deployment Guide 5.4R3. Product Release Document Version. Published

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

Cisco ISE Ports Reference

Configuring APIC Accounts

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Cisco ISE Ports Reference

Forescout. Configuration Guide. Version 2.2

Network Configuration Example

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

CounterACT DHCP Classifier Plugin

Intelligent Edge Protection

Pulse Policy Secure. Profiler Administrator Guide. Product Release 9.0R1 Document Version 1.0

TECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2

Integration Guide. Auvik

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

CISCO EXAM QUESTIONS & ANSWERS

2012 Cisco and/or its affiliates. All rights reserved. 1

Get Started with Cisco DNA Center

CISCO EXAM QUESTIONS & ANSWERS

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0

Using the Web Graphical User Interface

CounterACT 7.0 Single CounterACT Appliance

CUWN Release 8.2 mdns Gateway with Chromecast Support Feature Deployment Guide

ClearPass Release Notes

ISE Primer.

Forescout. Engine. Configuration Guide. Version 1.3

CLEARPASS GUEST. A ClearPass Policy Manager Application DATA SHEET KEY FEATURES THE CLEARPASS ADVANTAGES

Cisco ISE Ports Reference

The following topics describe how to configure correlation policies and rules.

Policy Enforcer. Policy Enforcer Connectors Guide. Modified: Copyright 2018, Juniper Networks, Inc.

Cisco ISE Endpoint Profiling Policies

Guest Access User Interface Reference

CLEARPASS CONVERSATION GUIDE

Cisco ISE Ports Reference

AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS AN ARUBA AIRGROUP SOLUTION GUIDE

ForeScout CounterACT. Configuration Guide. Version 1.8

WhatsConnected v3.5 User Guide

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

User Identity Sources

SUPPORT GUIDELINE CASE OPENING GUIDELINES ARUBA NETWORKS TECHNICAL SUPPORT

Quick St Copyright (c) Silve

Get Success in Passing Your Certification Exam at first attempt!

User Identity Sources

Using the Web Graphical User Interface

CounterACT Wireless Plugin

Deploy the ExtraHop Discover 3100, 6100, 8100, or 9100 Appliances

6.1. Getting Started Guide

Configure Smartport Properties on a Switch through the CLI

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL

Host Identity Sources

Configure Link Layer Discovery Protocol (LLDP) Properties on a Switch

Free4Dump. Free demo and valid vce dump for certification exam prep

Cisco NAC Profiler Architecture Overview

Deploy the ExtraHop Trace 6150 Appliance

Configuring Local Policies

Using the Cisco NAC Profiler Endpoint Console

ArubaOS 6.2. Quick Start Guide. Install the Controller. Initial Setup Using the WebUI Setup Wizard

Monitoring Windows Systems with WMI

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

BYOD: BRING YOUR OWN DEVICE.

ACE Live on RSP: Installation Instructions

FortiNAC Motorola Wireless Controllers Integration

ISE Express Installation Guide. Secure Access How -To Guides Series

Forescout. Quick Installation Guide. Single Appliance. Version 8.1

Manage Your Inventory

Deploy the ExtraHop Explore 5100 Appliance

Configure Controller and AP Settings

Forescout. Configuration Guide. Version 11.0

Set Up Policy Conditions

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

8.5 Identity PSK Feature Deployment Guide

Real4Test. Real IT Certification Exam Study materials/braindumps

NAC: LDAP Integration with ACS Configuration Example

Access Guardian and BYOD in AOS Release 8.1.1

DES-3528/52 Series Firmware Release Notes

Deploy the ExtraHop Discover Appliance in Azure

Manage Your Inventory

Configure Site Network Settings

The University of Toledo Intune End-User Enrollment Guide:

Support Device Access

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Configure Global Link Layer Discovery Protocol (LLDP) Settings on a Switch through the Command Line Interface (CLI)

Per-WLAN Wireless Settings

Vendor: Cisco. Exam Code: Exam Name: Designing Cisco Data Center Unified Fabric (DCUFD) Version: Demo

Transcription:

TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE REVISION HISTORY Revised By Date Changes Dennis Boas Aug 2016 Version 1 initial release 1344 CROSSMAN AVE SUNNYVALE, CA 94089 1.866.55.ARUBA T: 1.408.227.4500 FAX: 1.408.227.4550 info@arubanetworks.com www.arubanetworks.com

TABLE OF CONTENTS ClearPass Profiling Quick Start Guide... 1 Introduction... 3 Enable ClearPass Device Profiling... 3 Passive Collectors... 3 DHCP... 3 HTTP User-Agent... 4 Aruba Controller Configuration... 4 ClearPass IF-MAP Enable... 5 Cisco Device Sensor... 5 Basic Configuration needed... 5 Enable ClearPass Interim Accounting... 5 Configure Cisco Switch... 6 MAC OUI... 7 TCP Fingerprinting... 7 Active Collectors... 7 Subnet Scan... 8 Set Scan Interval... 8 Configure ClearPass Profile Settings... 8 Example Profile Results... 13 2

Introduction ClearPass uses a series of collectors to profile devices. These collectors receive information about each device and profile it for Device Category, Device OS family, Device Name, and Host Name. These device attributes can then be used to assign the correct authorization roles to the device. Configuring profiling is a two-step process: (1) the network infrastructure has to be configured to send device profiling information to ClearPass, and (2) ClearPass needs to be enabled to process the information. This paper presents a quick start guide for how to configure a basic ClearPass test environment. For more detailed information on ClearPass profiling refer to the ClearPass Profiling Tech Note on the Aruba support site. https://support.arubanetworks.com/documentation/tabid/77/dmxmodule/512/default.aspx?entryid=796 1 Enable ClearPass Device Profiling Enable device profiling on at least one ClearPass node in each zone. Passive Collectors Passive Collectors monitor and analyze information either sent directly to ClearPass or received on a ClearPass span port. DHCP The DHCP collector analyzes DHCP DISCOVER and REQUEST messages and uses DHCP fingerprints to profile the sending device. The ClearPass DHCP collector is automatically enabled when Enable Profiling is selected. Network switches and controllers need to be configured to forward the DHCP packets to ClearPass. ClearPass will use the DHCP packets to profile the device, but ClearPass is not a DHCP server. Example switch configurations. 3

HPE-3800 switch running KA_16_010007 DHCP Relay Configuration: vlan <id> ip helper-address <ClearPass Server IP address> dhcp-snooping vlan <id> Cisco 3750 switch running IOS Version 12.2(55)SE4 DHCP Relay Configuration: ip dhcp relay information trust-all ip dhcp snooping vlan <vlan range> interface vlan <ID> ip address <ip and mask> ip helper-address <ClearPass IP address> Note: If the ClearPass server has a span port configured it will also use DHCP packets received on that port for profiling. Switches or network taps can be configured to mirror traffic to the ClearPass span port. HTTP User-Agent In some cases, DHCP fingerprints alone cannot fully classify a device. A common example is the Apple family of smart devices; DHCP fingerprints cannot distinguish between an Apple ipad and an iphone. In these scenarios, User-Agent strings sent by browsers in the HTTP protocol are useful to further refine classification results. User-Agent strings are collected from: ClearPass Guest ClearPass Onboard Aruba controller through IF-MAP interface Guest and Onboard automatically collect User-Agent strings The IF-MAP interface needs to be enabled on the ClearPass server and configured on the Aruba Controller Aruba Controller Configuration Configure the IF-MAP interface on the Aruba controller: (host) (config) #ifmap (host) (config) #ifmap cppm (host) (CPPM IF-MAP Profile) #server host <host> port <port> username <username> passwd <psswd> (host) (CPPM IF-MAP Profile) #enable 4

ClearPass IF-MAP Enable Enable IF-MAP profiling on ClearPass by going to Administration > Server Manager > Server Configuration > Cluster-Wide Parameters Cisco Device Sensor The Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), DHCP and HTTP User-Agent info. All these attributes are sent to ClearPass using RADIUS accounting packets. Upon receiving the accounting data, the RADIUS server will post these inputs to profiler for analysis. This allows endpoints to be profiled without needing IP helper configurations or SPAN ports. Basic Configuration needed: Enable ClearPass Interim Accounting packets update Accounting configuration on Cisco NAD Enable IOS sensor on Cisco NAD Enable ClearPass Interim Accounting Enable logging of RADIUS Accounting packets by going to Administration > Server Manager > Server Configuration > [SERVER] > Service Parameters > RADIUS Server 5

Configure Cisco Switch Cisco switch Device Sensor configuration: 6

For additional details refer to the Cisco Cevice Sensor Configuration Guide. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_1_se/device_sensor/guide/sensor_guide.html#wp1112722 MAC OUI A connecting device s MAC OUI is automatically collected and can be useful for classifying endpoints. An example is Android devices, where DHCP fingerprints can only classify a device as a generic Android device, but cannot provide more detail about the vendor. Combining the DHCP information with the MAC OUI, the profiler can classify a device as HTC Android, Samsung Android, Motorola Android, etc. The MAC OUI is also useful to profile devices such as printers which may be configured with static IP addresses. TCP Fingerprinting When enabled, ClearPass will analyze the SYN, SYN-ACK handshakes using the open source TCP fingerprint databases pf0.fp and pf0fa.fp (SYN, and SYN-ACK respectively). Looking at the SYN packet allows ClearPass to determine which device (client) is connecting. Looking at the SYN-ACK allows ClearPass to derive what the actual server (target) is. TCP Traffic must be mirrored by network switches and controllers to the SPAN port on the ClearPass server. To enable this feature on a 500 or 5K appliance, the Data Port must not be in use. On a 25K appliance, one of the other spare interfaces can be used. Within a VM environment, if the DATA Port is being used then the ability to use TCP Fingerprinting is not an option. Active Collectors Active collectors use protocols like SNMP, SSH and WMI to collect device attributes for use in profiling. Active collection is especially useful for discovering and profiling statically addressed devices. 7

Subnet Scan ClearPass uses subnet scans to discover and profile devices with statically assigned IP addresses. Scans are automatically run every day or can be run on demand. For each scanned address ClearPass will: If port 22 is open, attempt to use SSH to login and gather additional data If port 135 is open, attempt to use WMI to login and gather additional data If port 161 is open, attempt to query SNMP information If port 135 and 3389 is open, assume that the endpoint is Windows-based Set Scan Interval By default subnet scans are run once a day but the interval is configurable by going to Administration > Server Manager > Server Configuration > Cluster-Wide Parameters Configure ClearPass Profile Settings To configure Subnet scans, you must configure Profile Settings in Configuration > Profile Settings: Define the subnets to scan Add SNMP credentials Add SSH credentials Add WMI Domain credentials 8

Configure Subnets Select the Policy Manager Zone and add the subnet or subnets for scanning. Subnets are added as a comma separated list. Note: do not end the line with a carriage return. To scan a single host use the /32 mask. Configure SNMP Credentials On the SNMP Configuration tab, click Add SNMP Configuration. You can add as many IP subnets or IP addresses as needed. Each can have its own set of credentials. In this example, we have configured two subnets with different SNMP credentials. 9

It is also possible to configure multiple sets of credentials for the same subnet as shown below. 10

Configure SSH Credentials SSH credentials are configured per subnet or with multiple sets of credentials per subnet. Go the SSH Configuration tab and click Add Configuration. 11

Configure WMI Credentials To add WMI credentials, go to the WMI Configuration tab and click Add Configuration. WMI credentials are used to sign into Windows Domain-joined machines and probe for additional profile information. Multiple credentials can be configured for each subnet and Domain. 12

Initiate On Demand Scan Configure an on-demand subnet scan by clicking the On-Demand Subnet Scan link. Enter a comma-separated list of subnets and click Submit. Example Profile Results In this example the host IP is dynamically assigned so DHCP fingerprinting can be used. In addition, the profiler found port 3389 open. Port 3389 is used by Windows Remote Desktop. 13

This example shows a server with a statically assigned IP address. This means that DHCP fingerprinting is not an option. The server does support SNMP so the SNMP System Description is used to profile the server. Note that the Server Name is also shown but is not used in the standard fingerprint. Device name could be used in a user-defined custom fingerprint. This switch is statically addressed and since we don't see any SNMP attributes, either SNMP is not enabled or the more likely reason is that the SNMP credentials are not correct. The CLI credentials were accepted and the SSH device name provides the profiling information 14

This RAP was profiled based on CDP, SNMP and DHCP attributes. 15

16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback