Security

Hi all,

How do I setup Role Mapping to use Profiling information from the Endpoint Repository?
I've setup MAC Authentication Bypass for devices that do not support 802.1x, using a Static Host List and the following role mapping:

Too ensure a MAC adres can't just simply be spoofed, I want to use the endpoint profiling information to verify the device when Role mapping. I would like to use the 'Device Category' and maybe even the 'Device OS Family' as well: 


I've red about adding Attributes to every known endpoint and using the attributes in role mapping, but i want this process to be as automatic as it can be; without adding attributes manually to every (e.g.) printer. I can't seem to find the proper role mapping rules for this.
How do I setup my role mapping to use the information gained via profiling?

------------------------------
Lex
------------------------------

Ensure that you add Endpoints Repository as authorization source and then you can either role map this or add it directly to your enforcement policy.

Authorization:[Endpoints Repository]:Category  EQUALS  Embedded
Authorization:[Endpoints Repository]:OS Family  EQUALS  Canon
Authorization:[Endpoints Repository]:Device Name  EQUALS  Canon Device

Another way is to trust the magic and use the endpoint repository with "Authorization:[Endpoints Repository]:Conflict EQUALS True/False"

------------------------------
John-Egil Solberg |
ACMX | ACCX
------------------------------

Original Message:
Sent: Oct 29, 2021 04:09 AM
From: Lex Krijnen
Subject: Role mapping using profiling information

Hi all,

How do I setup Role Mapping to use Profiling information from the Endpoint Repository?
I've setup MAC Authentication Bypass for devices that do not support 802.1x, using a Static Host List and the following role mapping:

Too ensure a MAC adres can't just simply be spoofed, I want to use the endpoint profiling information to verify the device when Role mapping. I would like to use the 'Device Category' and maybe even the 'Device OS Family' as well: 


I've red about adding Attributes to every known endpoint and using the attributes in role mapping, but i want this process to be as automatic as it can be; without adding attributes manually to every (e.g.) printer. I can't seem to find the proper role mapping rules for this.
How do I setup my role mapping to use the information gained via profiling?

------------------------------
Lex
------------------------------

Hi jsolb,

Thanks a lot for your reply! Would you say 'Conflict EQUALS true' is secure enough to stop MAC-spoofing from succeeding?

------------------------------
Lex
------------------------------

Original Message:
Sent: Oct 29, 2021 07:10 AM
From: John Solberg
Subject: Role mapping using profiling information

Ensure that you add Endpoints Repository as authorization source and then you can either role map this or add it directly to your enforcement policy.

Authorization:[Endpoints Repository]:Category  EQUALS  EmbeddedAuthorization:[Endpoints Repository]:OS Family  EQUALS  CanonAuthorization:[Endpoints Repository]:Device Name  EQUALS  Canon Device

Another way is to trust the magic and use the endpoint repository with "Authorization:[Endpoints Repository]:Conflict EQUALS True/False"

------------------------------
John-Egil Solberg |
ACMX | ACCX

Original Message:
Sent: Oct 29, 2021 04:09 AM
From: Lex Krijnen
Subject: Role mapping using profiling information

Hi all,

How do I setup Role Mapping to use Profiling information from the Endpoint Repository?
I've setup MAC Authentication Bypass for devices that do not support 802.1x, using a Static Host List and the following role mapping:

Too ensure a MAC adres can't just simply be spoofed, I want to use the endpoint profiling information to verify the device when Role mapping. I would like to use the 'Device Category' and maybe even the 'Device OS Family' as well: 


I've red about adding Attributes to every known endpoint and using the attributes in role mapping, but i want this process to be as automatic as it can be; without adding attributes manually to every (e.g.) printer. I can't seem to find the proper role mapping rules for this.
How do I setup my role mapping to use the information gained via profiling?

------------------------------
Lex
------------------------------

Should be - yes :) Although the first authentication of the spoofing device will always succeed, because dhcp/profiling doesn't happen until after you actually are connected..

------------------------------
John-Egil Solberg |
ACMX | ACCX
------------------------------

Original Message:
Sent: Oct 29, 2021 07:49 AM
From: Lex Krijnen
Subject: Role mapping using profiling information

Hi jsolb,

Thanks a lot for your reply! Would you say 'Conflict EQUALS true' is secure enough to stop MAC-spoofing from succeeding?

------------------------------
Lex

Original Message:
Sent: Oct 29, 2021 07:10 AM
From: John Solberg
Subject: Role mapping using profiling information

Ensure that you add Endpoints Repository as authorization source and then you can either role map this or add it directly to your enforcement policy.

Authorization:[Endpoints Repository]:Category  EQUALS  EmbeddedAuthorization:[Endpoints Repository]:OS Family  EQUALS  CanonAuthorization:[Endpoints Repository]:Device Name  EQUALS  Canon Device

Another way is to trust the magic and use the endpoint repository with "Authorization:[Endpoints Repository]:Conflict EQUALS True/False"

------------------------------
John-Egil Solberg |
ACMX | ACCX

Original Message:
Sent: Oct 29, 2021 04:09 AM
From: Lex Krijnen
Subject: Role mapping using profiling information

Hi all,

How do I setup Role Mapping to use Profiling information from the Endpoint Repository?
I've setup MAC Authentication Bypass for devices that do not support 802.1x, using a Static Host List and the following role mapping:

Too ensure a MAC adres can't just simply be spoofed, I want to use the endpoint profiling information to verify the device when Role mapping. I would like to use the 'Device Category' and maybe even the 'Device OS Family' as well: 


I've red about adding Attributes to every known endpoint and using the attributes in role mapping, but i want this process to be as automatic as it can be; without adding attributes manually to every (e.g.) printer. I can't seem to find the proper role mapping rules for this.
How do I setup my role mapping to use the information gained via profiling?

------------------------------
Lex
------------------------------