April 19, 2023

Clearpass Profiling
Suryaa, Aruba ERT
Agenda
 Introduction to profiling

 Various methods

 Profiling work-flow

 Profile conflict

2
Introduction and it’s types
 Profiling classifies endpoints using attributes obtained from software components called Collectors.
 A device profile is a hierarchical model consisting of 3 elements – Device Category, Device Family and Device Name
derived by profile from endpoint attributes.
 Profiling on CPPM can be categorized into Active and Passive

Profiling

Passive Active

1. DHCP
2. HTTP User Agent 1. WMI
3. TCP 2. SSH
3. SNMP
4. ARP 4. NMAP
5. CDP 5. MDM
6. Onguard 6. On-Demand Scan
7. Onboard

3
Profile Collectors

 DHCP
 Clearpass Onboard
 HTTP User-Agent
 MAC OUI – Acquired during auth
 CPPM OnGuard
 SNMP
 Subnet Scanner
 IF-MAP
 Cisco Device Sensor
 MDM
 TCP Fingerprinting

4
Network Service (DHCP)
Work-Flow:
After 1 min, proceed with
Discover entry received
Wait for 1 min

No
Create new DHCP Update Device
DHCP DISCOVER DHCP Request Snooping table profiler with MAC and
Received Received? Yes entry in FDB fingerprint details.

same fingerprint and mac No Wait till 5

received within 5 minutes? mins timer is Post data to async-
complete netd Device profiler
Yes

5
Network Service Logs:
DEBUG com.avenda.tips.utils.udp.UDPServer - Received packet from /10.23.198.10 with length 484
DEBUG com.avenda.tips.utils.async.AsyncTask - Start task: com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask@2310a2b4
DEBUG com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask - DHCPDISCOVER :mac=808db7ce7290, ciaddr=/0.0.0.0,
DEBUG com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask - dhcpCache.size = 2 of 0
DEBUG com.avenda.tips.utils.async.AsyncTaskRegistry - Registering key=808db7ce7290: task=com.avenda.tips.dhcp.snooper.tasks.Pr
ocessDhcpMessageTask@2310a2b4
DEBUG com.avenda.tips.dhcp.snooper.data.DhcpSnoopingTable - Creating new DHCP snooping table entry :MAC: 808db7ce7290 IP: Loc
ation: null Timestamp :1581080890744
DEBUG com.avenda.tips.utils.async.AsyncTask - Start task: com.avenda.tips.dhcp.snooper.tasks.WriteEntryToFdbTask@19e2c9d5
DEBUG com.avenda.tips.dhcp.snooper.tasks.WriteEntryToFdbTask - Persisting entry to FDB
:"tips_dhcp_snooping_info_insert_or_update","808db7ce7290","",,"",1581080890744
DEBUG com.avenda.tips.utils.udp.UDPServer - Received packet from /10.23.198.10 with length 496
DEBUG com.avenda.tips.utils.async.AsyncTask - Start task: com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask@2ee81e3f
DEBUG com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask - DHCPREQUEST :mac=808db7ce7290, ciaddr=/0.0.0.0, ip=/10.23.198.34
DEBUG com.avenda.endpoints.EndpointService - Updated deviceprofiler with {"hostname":"","staticip":false,"ip":"10.23.198.34","m
ac":"808db7ce7290","dhcp":{"option60":["ArubaInstantAP"],"options":["53,61,60,50,54,55"],"option55":["1,3,4,6,12,15,28,42,43,60,66
,67"]}}

6
Continued..
DEBUG com.avenda.tips.utils.udp.UDPServer - Received packet from /10.23.198.10 with length 322

DEBUG com.avenda.tips.utils.async.AsyncTask - Start task:

com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask@5aa5ec77

DEBUG com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask - DHCPREQUEST :mac=38eaa7d9a627, ciaddr=/0.0.0.0,

ip=/10.23.202.6

INFO com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask - Ignore duplicate DHCP message type: 3 for MAC:

38eaa7d9a627

DEBUG com.avenda.tips.utils.async.AsyncTask - Stop task:

Task=com.avenda.tips.dhcp.snooper.tasks.ProcessDhcpMessageTask@5aa5ec

77 stopped with success response. Alerts=[null]

DEBUG com.avenda.tips.utils.async.AsyncCompletionObserver - Got async completion event. Status={Success=true

Alerts=null Error status=0} Result class=java.lang.Boolean

7
 Device Profiler
Is there a IP
Post to Profiler Get the old Get the new
address change
Master fingerprint details IP address to
in the entry? Yes be updated
No Yes No

Received mac Am I the Profiler Is there entry for

with fingerprints master for the mac in DB
zone? Yes [Tips&TipsLog] ?

No Get the old finger print No Are both fingerprint No

Yes Enable Profile
and new fingerprint, are classifying the device
conflict
they same? as same?
Yes
No Evaluate the Compare the reliability and
Is there a rule defined fingerprint with Device score of both fingerprint
for the fingerprint? Fingerprint details on and choose the best out of
CPPM More reliable them Update DB [tips & tipsLogDb] with
Yes
Less reliable profiled information, along with new
Update endpoint Custom Rule IP nmap ports and profile conflict if
Ignore the less
with Device overrides the system any.
reliable fingerprint
fingerprint info defined fingerprint Is there Session for
new profile that mac addr?
yes Any CoA profile Yes
information is updated [Checks in Initiate
applicable post
redis/battery] CoA
profiling?
No No
8
Device Profiler
DEBUG Profile update mac:38eaa7d9a627 ip:10.23.202.6 hostname:desktop-ba941om fp:{u'dhcp': {u'option55': [
u'1,3,6,15,31,33,43,44,46,47,119,121,249,252'], u'option60': [u'MSFT 5.0'], u'options': [u'53,61,50,12,81,60,55']}}
DEBUG Endpoint with (mac: 38eaa7d9a627, ip: 10.23.202.6) not present in tipsdb
DEBUG Endpoint with (mac: 38eaa7d9a627, ip: 10.23.202.6) not present in tipslogdb
DEBUG Match ep:38eaa7d9a627 field:<dhcp:option55 rel:98 score:95> key:[u'1,3,6,15,31,33,43,44,46,47,119,121,249,252']
dev:Windows 10
DEBUG Best match ep:38eaa7d9a627 field:<dhcp:option55 rel:98 score:95> device:<Computer, Windows, Windows 10>
other:None
DEBUG Endpoint: 38eaa7d9a627 profiled to <Computer, Windows, Windows 10>
DEBUG Profile change for mac:38eaa7d9a627 old: None, new: <Computer, Windows, Windows 10>
DEBUG New endpoint: {mac: 38eaa7d9a627, ip: 10.23.202.6, static_ip:False, hostname: desktop-ba941om, mac_vendor:
Hewlett Packard, device: <Computer, Windows, Windows 10>, other: None, conflict:False, fp: {"dhcp": {"option55":
["1,3,6,15,31,33,43,44,46,47,119,121,249,252"], "option60": ["MSFT 5.0"], "options": ["53,61,50,12,81,60,55"]}, "host":
{"mac_vendor": ["Hewlett Packard"]}}, added_at: 2020-02-07 13:07:39.150409+00:00, updated_at: 2020-02-07
13:07:39.150409+00:00}
INFO CoA may be required for mac:38eaa7d9a627
DEBUG Updated endpoints: [u'38eaa7d9a627'] in tipsLogDb
DEBUG Updated endpoints: [u'38eaa7d9a627'] in tipsdb
WARNING No session for mac:38eaa7d9a627
DEBUG No coa profile applicable for mac:38eaa7d9a627

9
SNMP Profiling:

 Endpoint information obtained by reading SNMP MIBs of network devices is used to discover and profile static IP
devices in the network.
 SNMP based mechanism is only capable of profiling devices if they respond to SNMP, or if the device advertises its
capability via Link Layer Discovery Protocol (LLDP)
 There are two ways to discover endpoints that are statically addressed:
 ARP read
 Subnet scan
 ARP read is done from NAD devices added and the polling happens based on Device Poll Interval [Service
Parameters]
 Enable ARP read on the NAD device if that’s the L3 device and ARP table on this device can be used as a way to
discover endpoints on the network .
 Subnet Scan is particularly useful in deployments that are geographically distributed. In such deployments, it is
recommended that you assign the CPPM nodes in a cluster to multiple “Zones”, based on the geographical area
served by that node, and enable Profile on at least one node per zone.

10
 The default behaviour is for a CPPM node is to read network device
information only for devices configured to send traps to that CPPM node.
SNMP_TRAP RequestId=trap-1 Input=[NAD=10.23.193.63. Trap received at: Tue Mar 03 16:22:13 IST 2020. Trap type=LINK_DOWN
NAD=10.23.193.63 ifIndex=127] Output=[null] Details=[Initiate port reset for NAD=10.23.193.63 portIndex=127 ]
SNMP_TRAP RequestId=trap-2 Input=[NAD=10.23.193.63. Trap received at: Tue Mar 03 16:22:13 IST 2020. Trap type=LINK_DOWN
NAD=10.23.193.63 ifIndex=128] Output=[null] Details=[Initiate port reset for NAD=10.23.193.63 portIndex=128 ]
SNMP_TRAP Input=[NAD=10.23.193.63] Output=[Ignore v2c trap. Bad security name in trap] Details=[null]
SNMP_TRAP Input=[NAD=10.23.193.63] Output=[Ignore v2c trap. Bad security name in trap] Details=[null]
SNMP_TRAP Input=[NAD=10.23.193.63] Output=[Ignore v2c trap. Bad security name in trap] Details=[null]
SNMP_TRAP Input=[NAD=10.23.193.63] Output=[Ignore v2c trap. Bad security name in trap] Details=[null]
AGENTLESS_ENFORCEMENT RequestId=O00000001-01-5e5e36e8 Input=[MAC = f42e7fc9234e Nad IP=10.23.193.63 Nad Port=3/22]
Output=[null] Details=[OnConnect enforcement not enabled for the switch 10.23.193.63: 10.23.193.63]
SNMP_TRAP RequestId=trap-5 Input=[NAD=10.23.193.63. Trap received at: Tue Mar 03 16:22:19 IST 2020. Trap type=LINK_UP
NAD=10.23.193.63 ifIndex=128] Output=[null] Details=[Read MACs: [f4-2e-7f-c9-23-4e] ]
HTTP RequestId=profiler-post-00000001-01-5e5e33c7 Input=[Name=profiler-post
URL=http://localhost:6180/async_netd/deviceprofiler/endpoints Headers: {}
Body=[{"mac":"f42e7fc9234e"},{"mac":"9cdc71ffcec0"},{"mac":"b88303325345"},{"mac":"941882c83b02"},{"mac":"9020c2c2c101"
},{"mac":"3821c72ea6fb"},{"mac":"b8830332537e"},{"mac":"3821c72e2611"},{"mac":"08f1ea5e0401"},{"mac":"b8830336d000"},{"
mac":"f42e7fc930ee"}]] Output=[null] Details=[SUCCESS.]

11
 Network Service [SNMP]
Adding NAD
in SNMP Trap
Configuration Received
>> Devices
DBCN trigger

SNMP Yes CPPM node Yes Read CPPM SNMP Read Mac Table,
Start Read same as SNMP Target/Force read CDP/LLDP info on
Enabled? NAD? target table enabled? specific port
No No
Read ARP
After delay Delay for No Selected in
device poll Devices?
interval. Yes
Read ARP from NAD
with cdp/lldp and also
from the neighbors upto
the depth configured

Netscan does
Post the fingerprint to SSH/WMI/NMAP on the
Device Profiler discovered devices and
collects the respective
fingerprints 12
Network Scan:
 Apart from ARP Read, we are going to see how Device scan work.
 We have 2 ways to implement this
A: Network Scan,
B: Subnet Scan.
Network Scan:
 Device Discovery through Network Scan is a two-step process that identifies and profiles network access
devices (switches and routers) and the endpoints connected to them.
 SNMP to read information from the Bridge, ARP, LLDP and CDP MIBs on a network access seed device
(switch or router). This information is used to discover neighbouring network access devices. This process
is repeated for each neighbouring device until the scan depth limit is reached.
 It will fetch IP to MAC mapping information from the ARP tables of the network access devices to generate
a scan of each of the connected endpoints. This scan looks for specific open ports and then use SNMP,
SSH and WMI to profile the endpoint.

13
Network Scan

 If port 22 is open use SSH to login and collect profiling information .

 If port 135 is open use WMI to login and collect profiling information .
 If port 161 is open use SNMP to collect profiling information .
 If port 135 and port 3389 are both open assume the endpoint is Windows based.

Example: Scan Depth = 2

14
Network Logs:
Initialized network scan config table
Network discovery request received from Zone master -
{"seedDevices":["10.23.193.150"],"configId":"5","scanDepth":2,"scanRunId":"discovery-5-
1583500500002","probeArp":true}
New NAD discovered with ip 10.23.193.150
Network scan started for 1 seed devices: [10.23.193.150]
com.avenda.tips.snmpserver.snmptasks.ReadNadInfoTask - Updated NAD info added for
IP=10.23.193.150
Finished processing nadClient with ip 10.23.193.150
NAD with ip 10.23.193.150 already discovered as NAD 10.23.193.150
SNMP task started for entries: 2

15
Continued..
New NAD discovered with ip 10.23.193.65
New NAD discovered with ip 10.23.193.84
New NAD discovered with ip 10.23.193.61
New NAD discovered with ip 10.23.193.121
New NAD discovered with ip 10.23.193.132
New NAD discovered with ip 10.23.193.64
New NAD discovered with ip 10.23.193.63
New NAD discovered with ip 10.23.193.2
Total number of discovered Nads: 9
- Finished processing the auto discover.
Total number of discovered Nads: 13
- Total endpoints found: 41

16
Subnet Scan

 Instead of probing network access devices to discover connected endpoints, subnet scans probe all addresses in
the selected subnets. When an endpoint is detected.
 Note: Port logic remains the same as we saw in Network Scan.
 We use NMAP to discover the devices and whether they have SNMP port 161 open, we then fingerprint these
devices to gather additional data. The devices are probed based upon SNMP/SSH/NMAP credentials configured
in Administration>>External Accounts

17
Subnet Scan workflow

Initiate the Scan Try to make connection

Discover all Yes Initiate WMI Scan
Scheduled/On- to discovered devices Get System
endpoints/network with Provided
Demand through 135 & 3389, name details, OS
devices in the subnet credentials
are they open?
No
Get All the Yes Is NMAP profiling Initiate SNMP
open ports enabled in cluster Get SNMP output
No Do NMAP scan to Yes Scan with
from device parameters? for snmp-name,
see if 161,22 are provided
sys_desc, sw
open? credentials
version
No Yes
Ignore move to Execute
SSH scan
next device Command ’show
initiated with
ip’ & ‘show
provided
version’ and get
credentials
output

Drain Accumulated output

Post to Device Profiler the
accumulated outputs
from SSH, SNMP, WMI &
ports
18
Subnet Scan:
Load HTTP credentials
scan(host) - [sched-3-1583326814:1] start scan[nmap openports snmp ssh wmi] on hosts:10.23.194.0/24
DEBUG scan - [sched-3-1583326814:1] scanner not used/enabled for host:nmap ip:10.23.194.76
IsPortOpen: Connection failed for 10.23.194.76:135 - dial tcp 10.23.194.76:135: i/o timeout
IsPortOpen: Connection failed for 10.23.194.76:3389 - dial tcp 10.23.194.76:3389: i/o timeout
<!-- Nmap 7.70 scan initiated Wed Mar 4 18:30:55 2020 as: nmap -sU -p U:161 -n -PE -PP -oX - 10.23.194.76 -->
: <nmaprun scanner="nmap" args="nmap -sU -p U:161 -n -PE -PP -oX - 10.23.194.76"
start="1583326855" startstr="Wed Mar 4 18:30:55 2020" version="7.70" xmloutputversion="1.04">
<address addr="10.23.194.76" addrtype="ipv4"/>
DEBUG scan(snmp) - host:10.23.194.76 has port(161) open
DEBUG ssh - [sched-3-1583326814:1] start scan for 10.23.194.76
DEBUG 10.23.194.76:22: Session closed
DEBUG SSH session failed with cred ID=3004 user=admin for 10.23.194.76:22 (auth subnet 10.23.194.0/24)
SSH session success with user=appadmin for 10.23.194.76:22 (auth subnet 10.23.194.0/24)
DEBUG Starting dialog cppm with '10.23.194.76:22’
SSH session success with user=appadmin for 10.23.194.76:22 (auth subnet 10.23.194.0/24)
DEBUG 10.23.194.76:22: Sending command - show version
DEBUG 10.23.194.76:22: Sending command - show ip

19
Continued..
DEBUG 10.23.194.76:22: Command output -
"show version\r\n\n\r\n================================================\r\nPolicy Manager
software version : 6.6.10.106403\r\nPolicy Manager model number : CP-VA-
500\r\n================================================\r\n\r\n\n[

DEBUG 10.23.194.76:22: Command output -

"show ip\r\n\n\r\n===========================================\r\nDevice Type : Management Port\r
\n-------------------------------------------\r\nIPv4
Address : 10.23.194.76\r\nSubnet Mask : 255.255.255.0\r\nGateway : 10.23.194.1\
r\n\r\nIPv6
Address : 2001:4898:2005:2::13\r\n\nSubnet Mask : ffff:ffff:ffff:ffff::\r\n\nGateway
: \r\n\n\r\n\nHardware Address
: 00:0C:29:D2:D1:21\r\n\nMTU : 1500\r\n\n===========================================\r
\n\nDevice Type : Data Port\r\n\n-------------------------------------------\r\n\nIPv4
Address : <not configured>\r\n\nSubnet Mask : <not
configured>\r\n\nGateway : <not configured>\r\n\n\r\n\nIPv6 Address : <not
configured>\r\n\nSubnet Mask : <not configured>\r\n\nGateway : <not
configured>\r\n\n\r\n\nHardware Address
: 00:0C:29:D2:D1:2B\r\n\nMTU : 1500\r\n\n\r\n=========================================
==\r\n DNS Information \r\n-------------------------------------------
\r\nPrimary DNS : 10.17.170.105\r\nSecondary DNS : 8.8.8.8\r\nTertiary DNS : 1.2.3.4\r\n===
========================================\r\n\n\r\n\n[[email protected]]# ”
"mac":"08f1ea4c2980"},{"ip":"10.23.193.159","snmp":{"name":"HP-VSF-Switch","sys_descr":"HP Switch
5412Rzl2 VSF VC, revision KB.16.09.0003, ROM
KB.16.01.0006 (/ws/swbuildm/rel_zootopia_qaoff/code/build/bom(swbuildm_rel_zootopia_qaoff_rel_zootopia)
)"}

20
 Profiler Conflict
Post to Profiler Is there a IP Get the new
Received IP Get the old
Master address change IP address to
with fingerprints fingerprint details Yes
in the entry? be updated

No Yes No

Received mac Am I the Profiler Is there entry for

with fingerprints master for the mac in DB
zone? Yes [Tips&TipsLog] ?

Create Synthetic No Get the old finger print No Are both fingerprint No
Yes Enable Profile
MAC starting with and new fingerprint, are classifying the device
conflict
“xa” they same? as same?
Yes
No Evaluate the Compare the reliability and
Is there a rule defined fingerprint with Device score of both fingerprint
for the fingerprint? Fingerprint details on and choose the best out of
CPPM More reliable them
Yes Update DB [tips & tipsLogDb] with
Less reliable profiled information, along with new
Update endpoint Custom Rule Ignore the less IP and profile conflict if any.
with Device overrides the system reliable fingerprint
fingerprint info defined fingerprint
Is there Session for
new profile
that mac addr? yes Any CoA profile Yes
information is updated Initiate
[Checks in applicable post
CoA
redis/battery] profiling?
No No
21
DEBUG Profile update mac:f42e7fc9234e ip:10.23.20.174 hostname:None fp:{u'host': {u'user_agent': u'Mozilla/5.0
(Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116
Safari/537.36'}}
DEBUG Endpoint: {mac: f42e7fc9234e, ip: 10.23.198.36, static_ip:False, hostname: , mac_vendor: Aruba, a
Hewlett Packard Enterprise Company, device: <Access Points, Aruba, Aruba IAP>, other: <None, None, None>,
conflict:False, fp: {"dhcp": {"option55": ["1,3,4,6,12,15,28,42,43,60,66,67,148"], "option60":
["ArubaInstantAP"], "options": ["53,61,60,50,54,55"]}, "host": {"mac_vendor": ["Aruba, a Hewlett Packard
Enterprise Company"]}}, added_at: 2020-02-24 18:37:02.270858+05:30, updated_at: 2020-02-24
18:37:02.270858+05:30} loaded from tipslogdb
DEBUG Endpoint: {mac: f42e7fc9234e, ip: 10.23.198.36, static_ip:False, hostname: , mac_vendor: Aruba, a
Hewlett Packard Enterprise Company, device: <Access Points, Aruba, Aruba IAP>, other: <None, None, None>,
conflict:False, fp: {"dhcp": {"option55": ["1,3,4,6,12,15,28,42,43,60,66,67,148"], "option60":
["ArubaInstantAP"], "options": ["53,61,60,50,54,55"]}, "host": {"mac_vendor": ["Aruba, a Hewlett Packard
Enterprise Company"]}}, added_at: 2020-02-24 18:37:02.270858+05:30, updated_at: 2020-02-24
18:37:02.270858+05:30} loaded from tipsdb
DEBUG IP change for mac:f42e7fc9234e old: 10.23.198.36, new: 10.23.20.174
DEBUG Match ep:f42e7fc9234e field:<dhcp:option60 rel:99 score:96> key:[u'ArubaInstantAP'] dev:Aruba IAP
DEBUG Match ep:f42e7fc9234e field:<host:user_agent rel:10 score:99> key:Mozilla/5.0 (Macintosh; Intel Mac OS X
10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36 dev:Mac OS X
DEBUG Best match ep:f42e7fc9234e field:<dhcp:option60 rel:99 score:96> device:<Access Points, Aruba, Aruba
IAP> other:<Computer, Apple Mac, Mac OS X>
DEBUG Endpoint: f42e7fc9234e profiled to <Access Points, Aruba, Aruba IAP>
INFO Conflict on mac:f42e7fc9234e device:<Access Points, Aruba, Aruba IAP> other:<Computer, Apple Mac, Mac OS
X>

22
Clearpass profiling Technote

 https://www.hpe.com/psnow/doc/a00100323en_us

23
Thank you