Security

 View Only
Back to discussions
Expand all | Collapse all

[Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

This thread has been viewed 80 times

  • 1.  [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 21, 2023 08:37 PM

    Hello !

    Endpoint profiling is not possible due to the error 'Failed to get value for attributes=[Category, Device Name, OS Family]' in Clearpass.

    The configuration is writing the Controller as a DHCP server and sending a DHCP relay from the controller to Clearpass.

    And when I checked in Clearpass, I confirmed that the DHCP Relay packets were normally coming through Clearpass.

    10.255.x.x = Controller VLAN

    172.16.x.x = Clearpass IP address

    Clearpass Version : 6.9.13

    However, if you check the image above, Endpoint profiling is impossible even though DHCP Relay packets are normally flowing through Clearpass.

    If anyone knows a solution to this symptom, please let me know.



  • 2.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 22, 2023 03:03 AM

    Did you check endpoint database for fingerprint recorded there?

    It can be fingerprint mismatch and you need to resolve it in endpoint database.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 3.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 22, 2023 06:17 AM
    Edited by Lord Feb 22, 2023 10:33 AM

    During the first authentication the endpoint object does not exist yet, in this case the properties cannot be queried yet, because they do not exist yet. Is this possibly the reason for the error?

    If it is, then enable "Profile Endpoints" in the service and set a "RADIUS CoA Action". Clearpass will notice when the endpoint is updated and force a reauthentication.


    And make sure that the endpoints repository is used as authentication or authorization source
    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 4.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 22, 2023 10:27 AM

    Which information do you seen in the endpoint database for this client? First step is to check if the endpoint database contains the profiling information.

    Have you added the endpoint database as an authorization source in the service?



    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------

    Original Message


  • 5.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 22, 2023 08:51 PM

    Profile Endpoint is already activated and is already configured to authorize through Endpoint DB.

    Endpoint is also set as an authentication source.

    The Alert on the screen attached to the image is also a problem, but the Endpoint DB is not updated even though Clearpass is receiving the DHCP Request.

    The terminal of the captured image is the terminal originally recorded in the Endpoint Database.


    Original Message


  • 6.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 23, 2023 03:13 AM

    Depends on the type of server, but in most cases the endpoint database should be added as an authorization source and not as an authentication source. 

    Have you tried to restart the policy server service from the services control page?



    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------

    Original Message


  • 7.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 23, 2023 07:10 PM

    All settings related to Endpoint Profiling have already been made.

    When I checked the DHCP packets in the Controller and Clearpass, DHCP option 43 and 60 were not confirmed.

    I think it is because there is no DHCP option 43, 60. Does anyone know more?

    If you know, can DHCP option43 ,60 be set in the controller?


    Original Message


  • 8.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 24, 2023 03:53 AM

    DHCP profiling works independently of options 43 and 60. ClearPass reads all options and writes the information to the endpoint.

    If everything is configured correctly, but still no data is displayed in the endpoint profiling, you need to open a TAC case.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 9.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 24, 2023 05:10 PM

    for clearpass profiling to work, at minimum you need t opoint your ip-helper commands on your router/L3 switches to clearpass so that it sees the client DHCP requests.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 10.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 25, 2023 05:23 AM
    Edited by GorazdKikelj Feb 25, 2023 06:42 AM

    As Ariyap already wrote, DHCP relay need to direct all DHCP requests to clearpass also. What you are seeing is Clearpass not receiving DHCP requests from DHCP relay. You can check this if you collect debug logs and enable packet capture in Administration / Server Configuration / Collect logs and deselect all and only select Capture network packets for desired time. Then just connect new device on the network and you will have pcap file in collected logs. Analyze it with Wireshark to see, if Clearpass see the dhcp requests.

    But first check dhcp relay settings on L3 interfaces if clearpass is included in it. It's quite common mistake we all make.

    Best, Gorazd  



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


  • 11.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 27, 2023 08:14 PM

    We have already confirmed that DHCP Requests come to Clearpass through DHCP Relay.

    If i check the user through the Access tracker through the MAC address from which the DHCP Request came, i cannot check any Endpoint Attribute.

    A very small number of devices do not seem to be related to the setting of Clearpass, seeing that the Endpoint Attribute is displayed. Has anyone had a similar phenomenon?

    The case has already been opened.


    Original Message


  • 12.  RE: [Clearpass] Failed to get value for attributes=[Category, Device Name, OS Family]

    Posted Feb 28, 2023 02:34 AM

    I see those errors for devices that are connected to the network for the first time and are not profiled yet.

    Did you try to decode those dhcp packets to see, if there are any dhcp options in the packets like options 53,55,57,61,50,54.

    Another time is when device has a static ip address configured and no snmp/http profiling is enabled. But I think that is not your case. 

    Best, Gorazd 

     



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------

    Original Message


Related Content