topic Re: HP Aruba Device fingerprinting with Cisco ISE 3.3 in Network Access Control

HP Aruba Device fingerprinting with Cisco ISE 3.3

jitendrac — Thu, 23 May 2024 13:13:11 GMT

Hi Community,

We are trying to achieve device profiling with HP Aruba 2930M AOS-S Switch16.10.

This Aruba OS uses a "Device fingerprinting" function to achieve device profiling, similar to Cisco's "Device Sensor" function in Cisco Switch.

For Device fingerprinting, it is mentioned that the Prerequisite to Sending Data to ClearPass is "radius-server cppm identity," which requires the username and password of ClearPass to send collected data.

Now, if I want to send this data to ISE 3.3, what should I do?

I believe in case of Cisco Switch. The switch gathers raw endpoint data from protocols such as CDP, LLDP & DHCP, and it is made available to ISE through RADIUS accounting messages using "device-sensor accounting" command.

Re: HP Aruba Device fingerprinting with Cisco ISE 3.3

Arne Bier — Thu, 23 May 2024 21:08:45 GMT

Oh wow - I don't think ISE is expecting to find profiling data in an Aruba AVPair - Aruba should have an option in the AOS switch to send that data in a Cisco AVPair instead. Maybe there is such an option? In ISE there is no configuration to tell ISE which RADIUS attributes to pick apart for profiling - it's assumed to be a Cisco AVPair in the RADIUS Interim-Accounting updates. And the Session ID is also crucial.

It would be interesting to ask the same question on the Aruba Airheads Community to see what they have to say ... Aruba wants you to use AOS & Clearpass and Cisco want you to use IOS & ISE ... obviously.

As you know, you can always just forward the DHCP Discovery packets (e.g. IOS "ip helper") to ISE and decode those with the ISE DHCP Probe. It's an option at least.

Re: HP Aruba Device fingerprinting with Cisco ISE 3.3

thomas — Fri, 24 May 2024 16:14:51 GMT

See for all of the probes and configuration details.

Re: HP Aruba Device fingerprinting with Cisco ISE 3.3

ahollifield — Wed, 29 May 2024 12:05:06 GMT

You don't. Aruba device fingerprinting the switch logs into ClearPass as an API user and uploads its data into the ClearPass endpoint database over HTTPS. This is why you must configure a username/password for ClearPass and have the switch trust ClearPass HTTP certificate. ISE has zero concept of this. You should look at using one of the other probe types like DHCP or SNMP.

Also FWIW, its far better to send this data to Aruba Central instead. It has much greater device information and visibility than the ClearPass profiler. Then sync those device profile tags as needed from Aruba Central to ClearPass.