Technical Overview
Aruba ClearPass Profile is a ClearPass Policy Manager module that performs device profiling. Once you enable the module, it automatically collects a variety of data about endpoints, analyzes the data to classify the endpoints, and stores the classifications as device profiles in an endpoint repository. You can then use the device profiles in enforcement policies to control access to your network. For example, you could create an enforcement policy that grants endpoints profiled as VoIP phones access to specific servers in your network. Or you could create an enforcement policy that places all endpoints profiled as access points in a specific VLAN.
A device profile classifies an endpoint according to the following three hierarchical elements:
Category—This is the broadest classification of a device. It denotes the type of the device—for example, access point, VoIP phone, printer, computer, or smart device.
Family—Devices within a category are organized into families based on type of OS or type of vendor. For example, when the device category is computer, the family might be Windows, Linux, or Mac OS X. When the device category is smart device, the family might be Apple or Android.
Name—Devices within a family are further organized by more granular details, such as version. For example, when the device family is Windows, the device name might be Windows 7 or Windows 2008 server.
In addition to the hierarchical classification above, a device profile can contain information such as IP address, hostname, vendor, and time when the device was first discovered or when it was last seen.
To profile devices, Aruba ClearPass Profile uses a number of different types of collectors to collect data on endpoints. For a complete list of the kinds of collectors used, see the Aruba ClearPass documentation. This network configuration example relies on data provided by the DHCP and MAC Organizationally Unique Identitier (OUI) collectors:
DHCP collector—Collects DHCP attributes such as option55 (parameter request list), option60 (vendor class), and options list from DHCPDiscover and DHCPRequest packets. This information can uniquely fingerprint most endpoints that use DHCP to acquire an IP address on the network. DHCP packets also provide the hostname and IP address of a device.
For the DHCP collector to be able to collect this information, Aruba ClearPass must receive DHCP packets from the endpoints. DHCP relay on EX Series switches allows a switch to send the initial DHCPDiscover and DHCPRequest packets from endpoints to more than one receiver. Configuring ClearPass as one of these receivers allows ClearPass to listen in on the DHCP message exchange between the DHCP servers and client endpoints and to collect the required information from the DHCP packets.
MAC OUI collector—Collects the OUI portion of a device’s MAC address. The MAC OUI can be used to better classify some endpoints. For example, DHCP fingerprinting can classify an endpoint as a generic Android device, but it cannot provide information about the vendor. By using the MAC OUI in addition to DHCP fingerprinting, ClearPass Profile can classify an Android device as an HTC Android device, a Samsung Android device, a Motorola Android device, and so on. ClearPass Profile can also use the MAC OUI to profile devices such as printers that might have static IP addresses.
The MAC OUI collector obtains the MAC OUI from the MAC address information included in the RADIUS request packets sent from the EX Series switch on behalf of the endpoint.