Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
About Device Insight
Policy Manager supports seamless integration between Policy Manager and Policy Manager Device Insight.
Notable Processes and Concepts
Prerequisites to Using Device Insight Integration
Changes in ClearPass Behaviors When Device Insight Integration is Enabled
Changes in the ClearPass User Interface When Device Insight Integration is Enabled
Introduction
If you have Policy Manager Device Insight, you have the option to enable Device Insight Integration in Policy Manager. With integration enabled, bidirectional metadata is exchanged, providing enhanced classification of endpoints connected to the network. When Policy Manager Device Insight is combined with Policy Manager for real-time enforcement, visibility, security, and compliance are greatly increased for all devices connecting to the network.
Aruba’s Policy Manager Device Insight solution is a cloud-hosted application that provides detailed device visibility, classification, and reporting. It uses active and passive discovery methods, deep-packet inspection, contextual information, behavioral analysis, and advanced machine learning to continuously discover, profile, and monitor devices. The Device Insight user interface provides granular visibility into the devices on your network.
Identifying Headless Devices
Identifying headless devices (commonly referred to as the Internet of Things or IoT) can be challenging for traditional discovery methods: New products rapidly released by emerging vendors may be difficult to identify with standard discovery and profiling techniques; or devices such as Raspberry Pi may be built with generic hardware and software, but the individual devices serve a variety of different uses. Using traditional discovery and profiling techniques in such cases could result in partial or inaccurate profiling, making it difficult to apply appropriate policies.
Device Insight and Aruba Central
Policy Manager Device Insight is part of the Aruba Central Platform. It uses data collectors deployed on your network to continuously gather metadata from devices and send them to Policy Manager Device Insight Analyzer, which analyzes the attributes and classifies the devices. Policy Manager Device Insight data collectors are available as hardware appliances or virtual appliances.
About Device Insight Integration Mode in Policy Manager
A simple setting in Policy Manager lets you integrate it with Device Insight (see Device Insight Integration Page). When Policy Manager Device Insight integration is enabled, a Policy Manager server also acts as a collector, and Policy Manager seamlessly switches to using Device Insight instead of Profiler for all device discovery and classification functionality. Data is automatically transmitted in both directions between Policy Manager and Device Insight, providing enhanced profiling and reporting. Policy Manager Device Insight also updates Policy Manager in real time if it detects a change in device classification. Such a change could be an indication of device spoofing and should be viewed as a security threat.
You can view all the resulting device information and reports in the Policy Manager Device Insight application. Policy Manager provides direct links to Policy Manager Device Insight from the Policy Manager Menu, from the Dashboard device widgets, and from the Device Insight Integration page. In Policy Manager, integration with Policy Manager Device Insight is disabled by default. You can enable, disable, and re-enable integration as you wish. When you disable integration, Policy Manager returns to using Profiler for device profiling. While integration is disabled, the Policy Manager server is still listed as a collector in Policy Manager Device Insight, but its status is shown as unreachable.
Notable Processes and Concepts
Take note of the following processes and concepts:
Collector Service, Sync Service, and Device Insight Analyzer
While integration is enabled, two subsystems in Policy Manager, the collector service and the sync service, handle data transfer between Policy Manager and Device Insight.
The collector service receives profile requests from various services in Policy Manager and acquires the device data. It consolidates the events from the Policy Manager server or Policy Manager cluster and sends them to Policy Manager Device Insight Analyzer. The collector service listens on port 6180.
The Policy Manager Device Insight Analyzer processes the device’s characteristics and communication and behavior patterns. Using rules and machine learning, it uses those attributes to match a device to a set of known fingerprints and classifies the device.
The Sync service then fetches the endpoint’s classification from Analyzer and updates Policy Manager’s endpoint repository.
Updates happen in real time, and are backed up by periodic polling. This polling interval is separate from the polling interval set in Policy Manager Device Insight Integration configuration (see Table 1, Device Insight Integration Page Parameters ).
, and can be adjusted in theDevice Insight Integration in a ClearPass Policy Manager Cluster
Device Insight Integration can be enabled on a single Aruba appliance, or on any appliance in a Policy Manager cluster:
If only a single appliance is enabled, the collector service and sync service run on the same appliance, which handles all required data exchanges and updates.
In a cluster, you designate one of the servers as the primary server. The collector service runs on all the appliances, and the subscribers forward their data to the primary server. The sync service runs only on the primary server in a cluster and is responsible for sending data to the Analyzer. All data exchanges with Policy Manager Device Insight go through the primary node.
Tags
In Policy Manager Device Insight, after you have filtered for devices that match your criteria, you can create a tag and use it to group similar devices together. Tags can only be applied on classified devices. The tag is added to each device in the group as another attribute, and is sent to Policy Manager along with the other endpoint attributes. These tags are then available for filtering in > > and in Policy Manager Guest API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Explorer > > , and can be used in services for role-mapping or enforcement policies.
OnGuard, Onboard, Endpoint Context Servers, and Extensions
If the Policy Manager deployment uses OnGuard, OnGuard’s posture and health-related data is also sent to Policy Manager Device Insight for reporting purposes. Similarly, if the deployment uses Onboard, the device information Onboard collects during the onboarding The process of preparing a device for use on an enterprise network, by creating the appropriate access credentials and setting up the network connection parameters. process is sent to Device Insight. Information collected through endpoint context servers or integrations with 3rd-party ClearPass Extensions is also sent to Policy Manager Device Insight.
When Policy Manager Is Running in FIPS or Common Criteria (CC) Mode
When Policy Manager is running in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. or Common Criteria (CC) mode, only FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. or CC -approved ciphers are negotiated between Device Insight and Policy Manager. Device Insight is not included as part of Policy Manager’s Common Criteria validations. When Policy Manager is in Common Criteria (CC) mode, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.2 is enforced with RadSec, and TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.0 and TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.1 are no longer supported.
Prerequisites to Using Device Insight Integration
|
A Policy Manager Access License is required order to enable Device Insight Integration. |
Before you enable Device Insight Integration in Policy Manager, complete the following prerequisites:
1. Ensure that your Policy Manager server has an Access License. This license is required to enable Device Insight integration.
2. Have a subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. in the Aruba Cloud Platform for ClearPass Device Insight.
3. Configure Policy Manager Device Insight Integration (for details, see Device Insight Integration Page).
4. Generate your and have it ready:
a. In Aruba Central, go to the page.
b. Click the link.
c. On the page, click .
5. Make the following changes to existing Policy Manager configurations:
|
The Device Insight Integration page will provide a warning notification when you try to save it if any of these tasks have not been done. |
a. Remove any custom fingerprints you have configured (for related information, see Updating Device Fingerprints From a Hosted Portal).
b. Remove any network scans you have configured (see Configuring Network Scans and Subnet Scans).
c. Remove any enforcement profiles that are configured with Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scans, SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. scans, or OnDemand scans (see Configuring Enforcement Profiles and Configuring Network Scans and Subnet Scans).
d. Disable or remove any services that have audit servers enabled (see Configuring Common Services Using Service Templates and Configuring Other Policy Manager Services Manually or with Wizards ).
Changes in ClearPass Behaviors When Device Insight Integration is Enabled
When Device Insight Integration is enabled on a Policy Manager server, the functionality of a number of Policy Manager features are replaced by features in Device Insight. If you disable Device Insight Integration, these features are restored:
1. Policy Manager stops using Policy Manager Profiler for fingerprinting and uses Device Insight Analyzer instead for in-depth data analysis. If you later disable integration, Policy Manager reverts to using Policy Manager Profiler for fingerprinting.
2. The following active scans are disabled:
Network scans (physical): Policy Manager network scans where a seed switch is identified as the scan root are not supported.
Subnet Subnet is the logical division of an IP network. scans (logical): Policy Manager IP subnets Subnet is the logical division of an IP network.’ scans are not supported.
On Demand scans (Context-Server-Action): OnDemand scans for hosts are not natively supported.
SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. scans: Native SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. scans are not supported.
WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. scans: Native WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. scans are not supported.
SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. scans:Native SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. scans are not supported.
Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scans: Native Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scans are not supported.
Context Server Action (CSA Channel Switch Announcement. The CSA element enables an AP to advertise that it is switching to a new channel before it begins transmitting on that channel. This allows the clients, which support CSA, to transition to the new channel with minimal downtime. ) scans: On Demand context server actions are not allowed.
3. When Device Insight integration is enabled, the audit server is disabled. At > , any service that includes an audit server configuration must be disabled or have its audit server configuration removed before Device Insight Integration is enabled (see Configuring Common Services Using Service Templates and Configuring Other Policy Manager Services Manually or with Wizards ).
Changes in the ClearPass User Interface When Device Insight Integration is Enabled
When Device Insight Integration is enabled, several new options are added in the Policy Manager user interface and a number of standard features are removed:
1. In the Policy Manager Dashboard, the lists of device categories in the Device Category and Device Family widgets are enhanced to include the variety of device types that Device Insight can identify (for example, medical devices, barcode scanners, network cameras, and more). Each widget also includes a link to the Device Insight application.
2. At > > > , a new NetEvents target for the Device Insight primary server is added on all appliances in the cluster.
3. When Device Insight Integration is enabled, links directly to the Device Insight application are available on the Device Insight Integration page; in the Device Category, Device Family, and Device Insight Tags widgets in the Dashboard; and in the Policy Manager Menu in the upper-right corner of every Policy Manager page.
4. Policy Manager Device Insight tags are exposed wherever endpoint attributes are exposed in ClearPass service rules. They are available in service, role-mapping, and enforcement policy Rules Editors.
5. On the > > > > tab, if tags are available for an endpoint received from Device Insight, a Device Insight Tags field is added to the form to include them.
6. At > > , you can use the filter to search for devices.
The following changes are applicable to Policy Manager 6.10.0 and 6.10.1 only. Starting with Policy Manager 6.10.2, enabling Device Insight does not disable additional user interface elements.
1. The > section is removed from Policy Manager, along with all three pages under it: , , and . These device scans and the configuration options for them are available in the Device Insight application instead.
2. The > page is removed.
3. At > > > , the tab is removed, and is replaced by the tab.
4. On the > > > > tab, the and options are removed.
5. When Device Insight Integration is enabled, information collected by Policy Manager Insight is sent to Device Insight for analysis. Because some widgets and reports are then available in Device Insight instead, the corresponding dashboard widgets and report templates in Insight are removed.
6. On the > > > tab for an HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. action, values match the trigger server actions that are listed for endpoints, and disabled values are not listed.
7. At > > , the action is removed.