CPE 6.

7 MOD 4 – 1

LY
N
O
Aruba Networks, a Hewlett Packard Enterprise company.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 2

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 3

LY
N
O
SE
When you finish this module you will be able to explain how ClearPass gathers endpoint context data and the ways
ClearPass uses this context. You will also be ale to configure endpoint profiling in ClearPass.
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 4

LY
N
O
SE
Sometimes managing access levels for various devices and seem like a balancing act, especially when it comes to BYOD
environments. ClearPass helps manage devices and their security levels by profiling client devices when they connect to
U
the network.

First, you’ll learn what profiling is and how ClearPass profile’s data. Next you’ll learn how ClearPass gathers data and
AL

which collectors you should use within your network. This is helpful when you have to support various types of networks.

Lastly, you’ll take what you’ve learned and apply it in a lab activity focused on configuring multiple profile collectors.
N
R
TE
IN
CPE 6.7 MOD 4 – 5

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 6

LY
N
O
SE
When ClearPass learns about a client device on the network it will attempt to profile the device to determine what it is
physically. ClearPass will then add the device to the endpoints database. The endpoints database will contain both client
U
devices that have attempted to authenticate and any devices that have interfaced with ClearPass. This means you can use
ClearPass to profile almost every device on the network.
AL

___
To view the endpoints in ClearPass, navigate to Menu>Configuration> Identities> Endpoints
N
R
TE
IN
CPE 6.7 MOD 4 – 7

LY
N
O
SE
Since the modern network hosts so many types of devices, you need a method to be able to detect different device types
and place them into different security roles.
U
In a typical network a single user may bring his corporate issued laptop, smart phone and tablet or lightweight device (such
as a chrome book) onto the network. It is not uncommon for a single user to have between three and five devices on the
business network. These devices often do not play the same role and therefore don’t need the same security access.
AL

Therefore, a good security practice dictates that you grant access to each device based on its need. If you treat every
single device on the network exactly the same, it would be a disaster as some devices would have far more access than is
safe. Devices that are not fully secured would have access to resources that you do not want exposed.
N

When you have devices that only support lesser security methods, proper profiling of the endpoints can enhance security
by providing more data about the client for ClearPass to use to make access decisions.
R
TE
IN
CPE 6.7 MOD 4 – 8

LY
N
O
SE
Networks not only host multiple devices, but also multiple kinds of service provider devices, such as building access
systems, badge scanners, multi-function printers, cameras and security systems, VoIP phones and even vending
U
machines. In some environments this list could go on and on.

Most of these devices are not actually inhabited by a user, but require access to the network to do their job. It is incredibly
AL

inefficient to set up separate networks for each of these devices; imagine how many wireless networks you would need to
support just the short list here.

The better solution is to configure a single network with profiling and apply different security controls to different types of
devices on the network.
N
R
TE
IN
CPE 6.7 MOD 4 – 9

LY
N
O
SE
Here is an example scenario where you have wired IP cameras on the network, but the cameras are only authenticated by
their MAC address. Without some added form of intelligent access control to identify the device as a valid camera, any
U
device with a camera MAC address is granted access.

| If an attacker removes the camera and replaces it with a laptop with the same MAC address, what would happen?
AL

| The laptop would also be granted access to the network.

| However, what if you had a way of telling which type of device was presenting the MAC address? Using the ClearPass
profiler you can get a deeper understanding of the real client device type and use that information to govern access to the
N

network.

| By adding the endpoint context in ClearPass, you can instruct the switch to allow the camera to have access. However, if
R

ClearPass identifies the device as something other than the camera it can instruct the switch to deny access even though it
passed MAC authentication.
TE
IN
CPE 6.7 MOD 4 – 10

LY
N
O
SE
Keep in mind the order of importance for devices. With endpoint profile data, the last information gathered replaces the
earlier data and becomes the most important. When ClearPass profiles a MAC address and then profiles the same MAC
U
address a second time as something different, ClearPass will write the new context data over the old.

For example, if a client device connects to the network and ClearPass profiles the device MAC address, the system will use
AL

that profile context until it learns something new about the client device. Profiles do not expire, so the next time the same
MAC address connects to the network it will start out profiled from the previous version. If the profile changes to something
different the new profile takes precedence and replaces the old profile data. In this way you can detect if an actor is
attempting to impersonate a device on your network.
N
R
TE
IN
CPE 6.7 MOD 4 – 11

LY
N
O
SE
Device fingerprints are bits of context the client reveals and ClearPass detects. In order for ClearPass to be able to
properly identify different device types it reads the client’s fingerprints and compares them to a database of known
U
fingerprints. You can configure the fingerprint dictionaries under Menu>Administration> Dictionaries> Fingerprints

| Each device listed in the dictionaries will have some different identifying characteristics that ClearPass can use as
AL

fingerprints to establish an identity. Some devices, like this Mac OS X computer, have a large number of fingerprints while
other devices have a smaller list.
N
R
TE
IN
CPE 6.7 MOD 4 – 12

LY
N
O
SE
ClearPass has the ability to add new fingerprints for situations that you may not have configured for the individual device
running on the network. Using the add feature in the fingerprints dictionary you can add a new category, family and name.
U
| Once you’ve added the new device fingerprints simply go back and apply them to the device you want to categorize.
When you apply the new device fingerprints to a device in the endpoint’s repository ClearPass will record the fingerprints it
AL

has for that device. The following devices with matching fingerprints will get catalogued as the new category, family and
name.
N
R
TE
IN
CPE 6.7 MOD 4 – 13

LY
N
O
SE
False : ClearPass will write every device it discovers into the endpoint database
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 14

LY
N
O
The Correct answer is True.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 15

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 16

LY
N
O
SE
ClearPass uses various collectors or mechanisms to detect device fingerprints. To gain a more robust profile of the
endpoint device, you can interface multiple collectors between the client device and ClearPass. You can divide collectors
U
into four basic groups; the first and easiest to support is based on normal network functions.

| The second group monitors network traffic and packets for fingerprint data that can identify the device type that sent the
AL

packet.

| The next relates to ClearPass applications. During the client interaction with the application any identifying information
that is gathered is added to the endpoint’s profile.
N

| You can use the last active collectors in static environments.

R
TE
IN
CPE 6.7 MOD 4 – 17

LY
N
O
SE
The DHCP fingerprints collector analyzes DHCP DISCOVER and REQUEST messages and uses DHCP fingerprints to
profile the sending device. This function is turned on automatically. Whenever ClearPass receives a DHCP message it will
U
profile the endpoint that sent it.

| All that is required is to forward the DHCP requests from the client device over to ClearPass. ClearPass does not have a
AL

DHCP server but will read the DHCP options the client sends. ClearPass will then add endpoint context for the client to the
database. This means that you need to configure network switches and controllers to forward the DHCP discover packets
to both the DHCP server and ClearPass.
N
R
TE
IN
CPE 6.7 MOD 4 – 18

LY
N
O
SE
Have you ever considered how a web site understands what version of the web page to send? Does it send the full web
page or the mobile compatible page to the client making a request? Well, the website knows which to send because the
U
browser sends identifying information about the client to the web server. By reading this information the web server can
identify the client type and send the properly formatted page. Any time a client sends ClearPass Guest a page request it
includes this same identifying context. ClearPass Guest will automatically profile the device and write this context to the
AL

endpoint database.
N
R
TE
IN
CPE 6.7 MOD 4 – 19

LY
N
O
SE
An Interface for Metadata Access Point (IF-MAP) is a common protocol that provides a simple interface for metadata
exchange.
U
Metadata is descriptive context about something, in this case its about the client. The Aruba controller can send the http-
user-agent strings intercepted from client device and mDNS service announcements to ClearPass. The controller can
AL

gather metadata for any client passing data through the firewall.
___
You must configure and IF-MAP profile for the controller so that it knows where to send IF-MAP data. IF-MAP provides a
good way for ClearPass to receive extra context information from clients authenticated to the controller. In ClearPass you
will need to create an apiadmin account and enable ClearPass to process IF-MAP data.
N
R
TE
IN
CPE 6.7 MOD 4 – 20

LY
N
O
SE
To use IF-MAP, you’ll need to enable the feature in the cluster wide parameters under ClearPass Menu> Administration>
Server Manager> Server Configuration
U
| Aruba Networks recommends configuring IF-MAP with the Aruba mobility controller as it will increase the details in
profiling endpoints and enrich the context in the profiler.
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 21

LY
N
O
SE
The Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco
Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP). The device sensor will forward DHCP and HTTP
U
User-Agent info to ClearPass using RADIUS accounting packets. When ClearPass receives the accounting data, the
RADIUS server will post these inputs to the profiler for analysis. This allows endpoints to be profiled without needing IP
helper configurations or SPAN ports on compatible devices.
AL

___
Cisco device sensor requires that the “Log Accounting Interim-Update Packets” feature be set to “True” for each server in
your ClearPass cluster.

Basic Configuration needed:

N

• Enable ClearPass Interim Accounting packets update

• Accounting configuration on Cisco NAD
• Enable IOS sensor on Cisco NAD
R
TE
IN
CPE 6.7 MOD 4 – 22

LY
N
O
SE
The TCP fingerprint functionality in ClearPass analyzes SYN and SYN-ACK from the TCP 3 way handshake messages
between clients and devices. This allows ClearPass to analyze TCP traffic flowing on the network and add profile context
U
to all endpoints it discovers. This require you to set up s a mirror port on the NAD so that TCP traffic can be forwarded to a
spanned port on ClearPass. This is a resource intensive function.
---
AL

ClearPass supports two configurations for a spanned port. If you only configure ClearPass for the management port and
not the data port, then you can use the data port interface as a span port. If you configure a management port and data
port on ClearPass the software allows you to configure a third port as the span port. The hardware appliance has two extra
ports, and if you are configuring a VMWare instance you will have to use the network settings in VMWare to configure an
additional promiscuous mode span port. If you are working with an appliance, it will have four Ethernet ports with only two
N

configured for management and data and the third port will be used as a span port.
R
TE
IN
CPE 6.7 MOD 4 – 23

LY
N
O
SE
Active collectors include network scanner functions utilizing protocols such as SNMP, HTTP, SSH and WMI. Active scans
provide a good way for ClearPass to discover devices with a static IP addresses.
U
___
AL

Configuring Active collectors is considered an intermediate skill ; this course will not go into details. The best reference is
the Active Profiling tech note found on the Aruba Networks support site.
N
R
TE
IN
CPE 6.7 MOD 4 – 24

LY
N
O
SE
When ClearPass has an MDM server configured under Endpoint Context Servers, it will poll the server on a regular basis,
and preload the Endpoint’s table with context for the MDM controlled devices. This means that for those devices in the
U
MDM server you can quickly do enforcement based on endpoint profile. The MDM servers expose information concerning
things like the device’s encryption status or whether it has been listed as compromised. You will also have the device type
and OS version as well.
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 25

LY
N
O
SE
DHCP Profiling and HTTP User Agents are Network Functions
OnGuard is a ClearPass Application
U
NMAP Scans are Active Profiling
TCP Fingerprinting is Network Packets
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 26

LY
N
O
See the Lab Guide for complete instructions.
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 27

LY
N
O
SE
There are three parts to the activity. After reviewing the scenario, you will complete a series of labs and tasks where you
will…
U
Gather information, analyze the current environment, and document customer requirements,
AL

Then, evaluate customer requirements in the scenario,

And lastly, design a solution summarizing the key product features and customer benefits.
N
R
TE
IN
CPE 6.7 MOD 4 – 28

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 29

LY
N
O
SE
Task is just experiencing the endpoints repository and the data that was gathered for the endpoints from the MDM server.
U
This is a rich example of the context that the endpoint profiler can gain.
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 30

LY
N
O
SE
In this lab task you configure DHCP relay for the VLAN that gets assigned to the wireless users when they connect to
SSIDs on the controller. In a production environment. It is recommended that you forward all of your user VLANs to
U
ClearPass for profiling. IF–MAP for endpoint profiling is unique to the controller but it is recommended used as it will gather
endpoint context from wired traffic through the controller.
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 31

LY
N
O
SE
Profiling in ClearPass is enabled by default. When enabling IF-MAP on the controller, you will also need to go into Cluster
Wide Parameters and enable the “Process wired data information from IF-MAP interface”
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 32

LY
N
O
SE
There are multiple ways that you can view endpoint context making it easy to monitor your device types. You also
investigated the Profiler Fingerprint Dictionary. Finally you are able to create a custom fingerprint and apply those to your
U
endpoints in the policy manager.
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 33

LY
N
O
SE
Congratulation! You now should be able to describe the value of device profiling and determine the best fingerprints
collectors for your networks.
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 34

LY
N
O
SE
U
AL
N
R
TE
IN
CPE 6.7 MOD 4 – 35

LY
N
O
Aruba Networks, a Hewlett Packard Enterprise company.
SE
U
AL
N
R
TE
IN