Security

Hello , I have couple of questions related to Profling .If we enable Profiling on a Service for example on MAC service and it profiles all the different devices like Printers , Scanners, cameras etc . Do we need to turn off profiling after some time or do we need  to keep it open ?

 

Also , for example we switch off profiling from service , but in that case the Endpoint profiling database will still remain ? also does that database contain Mac address ?

 

Now what is the MAC refresh time recommended for Printers , Scanners cameras etc ? Once they are connected will they remain connected or if we clear the mac database , do we need to make rules for profiling in advance in MAC service so that once they discover again they will be allowed ?? This is basically a requirement for Customer Cyber Security so that MAC refresh should be done after 3 or 6 months 

 

Also , we are using DHCP profiling ,If a Printer connects to Location A and profiled  . Tommorrow if we move the Printer to Location B , is it possible to get a notification as Location is changed ?

Enabling profiling in a service simply enables logic that will take some form of action when the device moves from not profile to profiled. It does not have any impact on global profiling capabilities.

Not sure what you mean about MAC refresh. The endpoint database simply stores system learned data. Profiling data is just one component of an enforcement policy. Other data should be used to dictate access, like the device registration status.

Location has nothing to do with device profiling. You’d have to configure that using enforcement rules in your enforcement policy based on NAS data.

Hello Tim,

 

The goal here is to defined MAC expiry timer for each device type like printers , scanners etc . is it possible ? what is Aruba recommendation for MAC expiry for non standard devices like camera , printers etc ?

 

next Question is after expiry period they will try to authenticate, so does the mac service need a rules that if device identified is printer say which was present before , allow it . also what is authorization source in this case ? I believe profling endpoint database ? correct me if i am wrong

 

 

also , please let me know how to trigger alert if location of device is changed ? any option .kindly help

 

We don’t make recommendations like that as it should be based off your security policies. Expiration is defined during Device Registration. All Device Registration logic uses the [Guest Device Repository] auth source.

RE: alert, you’d have to write an enforcement policy rule keying off something related to the session and then use some form of post auth enforcement.

Hi Tim,

 

if i to clear the mac address of Printer , i have to do it from Guest device repository or Endpoint repositiry ? What is the difference ?

 

Also , if Printer tries to authenticate again , it will hit the MAC rule . So do we need policy rules based on profiling to allow it once it is discovered again?

 

Also once we move from Open mode to closed mode , what if a new printer is purchased ? do we need to add it explicity or we can add auto rules based on profiling based on vendor class ?

Endpoint database is for things ClearPass learns itself.

Device Registration is for admin or end user registration. This is where account status, role assignment, etc is done.

I would recommend reaching out to your Aruba Partner to assist with this deployment.