Security

 View Only

  • 1.  ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 12:23 PM
    Edited by MultiBand Mar 03, 2024 06:35 PM

    Hi World,

    The endpoints in this scenario configured with static ip and layer 3 device (fw) doesn't support the necessary snmp OID which is required for the ClearPass to read the arp table.


    we are searching for the way to utilize the accounting Framed-IP so ClearPass will be able to scan and profile endpoints with static ip.

    (Changing to dhcp or replacing the L3 FW IS NOT AN OPTION)


    Base on some discussions i understood that  we can utilize accounting as a collector of ip address, but it is not mentioned in the collector or profiling documents ..
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00100327en_us

    Hpe remove preview
    View this on Hpe >

    Endpoint Information Collectors

    Arubanetworks remove preview
    Endpoint Information Collectors
    Collectors are the network elements that provide data in order to profile endpoints. Dynamic Host Configuration Protocol ( DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.
    View this on Arubanetworks >

    ClearPass Profiling Tech Note V1.2

    PSNow remove preview
    ClearPass Profiling Tech Note V1.2
    View this on PSNow >

     

    here is some example for accounting as a method to collect endpoint fingerprints,

    vsa vendor

    Arubanetworks remove preview
    vsa vendor
    vsa vendor aruba type avpair group dfp-client-info {no} vsa vendor aruba type avpair group dfp-client-info Description This command enables AOS-CX integration with Aruba Clearpass by allowing the switch to send Vendor-Specific Attributes (VSAs) for the Aruba vendor in RADIUS interim packets (such as accounting packets).
    View this on Arubanetworks >

    IP Client Tracker

    Arubanetworks remove preview
    IP Client Tracker
    AOS-CX 10.07 IP Routing Guide Help Center IP Client Tracker is only supported on the Aruba 6x00 Switch Series. The client IP address tracking feature will learn and update the IP addresses of the access devices and clients connected to the switch.
    View this on Arubanetworks >

    Regards,

    Me



  • 2.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 05:05 PM

    are these devices being authenticated? 

    note that with CX 10.12 you can use device fingerprinting feature that uses RADIUS to end device profiling info to Clearpass 

    and your Clearpass needs to be 6.11 or better. 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 06:34 PM
    Edited by MultiBand Mar 03, 2024 06:37 PM

    There are no aruba switches in this environment, still we are recieving the framed-ip and we what to use it at the clearpass end.


    Original Message


  • 4.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 07:49 PM

    I am pretty sure CP can use accounting info as well.

    have you enable accounting /interim accounting?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 08:24 PM

    Remember using device finger printing  info through radius accounting is for CX switches. i don't think Aruba wireless support that.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 6.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 11:22 PM

    Yes, interim accounting is enabled.


    Original Message


  • 7.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 11:33 PM

    Remember using device finger printing  info through radius accounting is only  for CX switches. i don't think Aruba wireless support that.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 8.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 03, 2024 11:56 PM

    Not sure how the NAD type is related, the Framed-IP is a IETF attribute and it exists in the accounting massages. 


    Original Message


  • 9.  RE: ClearPass - Accounting Framed-IP - Profiling Endpoint With Static IP

    Posted Mar 04, 2024 12:22 AM

    well your reference for the working link, is for a CX switch that uses this new DFP feature. When you configure it, the switch will send VSA av-pair(67) in RADIUS accounting interim packets.

    The APs do not have this feature. 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


Related Content