Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1833
Views
0
Helpful
3
Replies

Aruba AP Profiling

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-09-2019 11:04 AM - last edited on ‎03-09-2022 10:55 PM by Community Manager

I ran in to very minor issue around profiling Aruba AP's and am looking to see if we can get this fixed at the source. ISE was not able to successfully profile an Aruba APIN0325 WAP because the MAC OUI was resolving to a different name than the Aruba parent policy is configured for.  So in short, the ArubaAP profile is nested under the Aruba-Device parent profile which doesn't get hit. It would be nice to see the profiler feed updated to address this.  

Parent profile: Aruba-Device
matches:  OUI CONTAINS ARUBA NETWORKS

Child profile: ArubaAP
matches: DHCP:dhcp-class-identifier EQUALS ArubaInstantAP OR DHCP:dhcpv6-vendor-class EQUALS ArubaInstantAP OR DHCP:dhcp-class-identifier EQUALS ArubaAP

The Aruba AP has a MAC address that begins with AC:A3:1E, and ISE is resolving this OUI as "Aruba, a Hewlett Packard Enterprise Company", not "Aruba Networks". The dhcp-class-identifier attribute is coming through correctly with ArubaAP, so when we make a slight adjustment to the parent profile, it then matches the child correctly.  

 

As a side discussion to this, I've seen this before with other products as well where the MAC OUI text changes and ISE no longer profiles it, is it normal for these to change?  

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-09-2019 01:11 PM

Please open a tac case and defect for fix

View solution in original post

0 Helpful

Go to solution
chyps
Level 1
Level 1
In response to Damien Miller

‎07-11-2019 07:50 PM

The IEEE maintains master OUI lists. These changes do happen from time to time such as here due to company mergers and acquisitions.  It happened about two years ago when many of the OUIs assigned to Apple were consolidated.  Consequently, many of the default ISE profiles based on original OUIs failed to match.  As you probably know, you can address using interim workaround by adding a custom condition to top-level Aruba-Device profile that matches on new OUI value (for example, STARTSWITH Aruba, or CONTAINS Aruba), but agree that ultimate fix would be via profile update. This is a case where you want to test Feed updates offline prior to production import/pull and why automated online feed can have unexpected/undesirable results. Ideally there would be a check for all OUI changes and determine if any impacted default Cisco provided profiles, thus necessitating profile update.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-09-2019 01:11 PM

Please open a tac case and defect for fix
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎07-09-2019 04:46 PM

How often should the text of these change? Are we allowed to know where Cisco gets their OUI names?
0 Helpful

Go to solution
chyps
Level 1
Level 1
In response to Damien Miller

‎07-11-2019 07:50 PM

The IEEE maintains master OUI lists. These changes do happen from time to time such as here due to company mergers and acquisitions.  It happened about two years ago when many of the OUIs assigned to Apple were consolidated.  Consequently, many of the default ISE profiles based on original OUIs failed to match.  As you probably know, you can address using interim workaround by adding a custom condition to top-level Aruba-Device profile that matches on new OUI value (for example, STARTSWITH Aruba, or CONTAINS Aruba), but agree that ultimate fix would be via profile update. This is a case where you want to test Feed updates offline prior to production import/pull and why automated online feed can have unexpected/undesirable results. Ideally there would be a check for all OUI changes and determine if any impacted default Cisco provided profiles, thus necessitating profile update.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents