Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

HP Aruba Device fingerprinting with Cisco ISE 3.3

jitendrac
Level 1
Level 1

‎05-23-2024 06:13 AM

Hi Community,

We are trying to achieve device profiling with HP Aruba 2930M AOS-S Switch16.10.

This Aruba OS uses a "Device fingerprinting" function to achieve device profiling, similar to Cisco's "Device Sensor" function in Cisco Switch.

For Device fingerprinting, it is mentioned that the Prerequisite to Sending Data to ClearPass is "radius-server cppm identity," which requires the username and password of ClearPass to send collected data.

Now, if I want to send this data to ISE 3.3, what should I do?

I believe in case of Cisco Switch. The switch gathers raw endpoint data from protocols such as CDP, LLDP & DHCP, and it is made available to ISE through RADIUS accounting messages using "device-sensor accounting" command.

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎05-23-2024 02:08 PM

Oh wow - I don't think ISE is expecting to find profiling data in an Aruba AVPair - Aruba should have an option in the AOS switch to send that data in a Cisco AVPair instead. Maybe there is such an option?  In ISE there is no configuration to tell ISE which RADIUS attributes to pick apart for profiling - it's assumed to be a Cisco AVPair in the RADIUS Interim-Accounting updates. And the Session ID is also crucial.

It would be interesting to ask the same question on the Aruba Airheads Community to see what they have to say ... Aruba wants you to use AOS & Clearpass and Cisco want you to use IOS & ISE ... obviously. 

As you know, you can always just forward the DHCP Discovery packets (e.g. IOS "ip helper") to ISE and decode those with the ISE DHCP Probe. It's an option at least. 

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎05-24-2024 09:14 AM

See ISE Profiling Design Guide for all of the probes and configuration details.

0 Helpful

ahollifield
VIP
VIP

‎05-29-2024 05:05 AM

You don't. Aruba device fingerprinting the switch logs into ClearPass as an API user and uploads its data into the ClearPass endpoint database over HTTPS.  This is why you must configure a username/password for ClearPass and have the switch trust ClearPass HTTP certificate.  ISE has zero concept of this.  You should look at using one of the other probe types like DHCP or SNMP.

Also FWIW, its far better to send this data to Aruba Central instead.  It has much greater device information and visibility than the ClearPass profiler.  Then sync those device profile tags as needed from Aruba Central to ClearPass.

0 Helpful
Customers Also Viewed These Support Documents