Adding and Modifying Endpoints

Viewing the List of Authentication Endpoints

Policy Manager lists all authenticated endpoints. An endpoint device is an Internet-capable hardware device on a TCP/IP Transmission Control Protocol/ Internet Protocol. TCP/IP is the basic communication language or protocol of the Internet. network (for example, laptops, smart phones, and tablets).

To access this page, navigate to Configuration > Identity > Endpoints.

Figure 1  Endpoints Page

Table 1: Endpoint Page Parameters

Parameter

Action/Description

Filter

You can choose to select ALL matches or ANY matches.

Then you can specify from one to three device filters to refine the endpoint information you wish to view.

Available filter types include: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address, Hostname, IPv4 Address, IPv6 Address, Device Category, Device OS Family, Device Name, Status, Profiled, Static IP, Profiler Conflict, Added by, Description, Attribute and Randomized MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address.

Policy Manager allows searching for a MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address in any of the known formats:

112233AABBCC

11:22:33:aa:bb:cc

11-22-33-AA-BB-CC

1111-2222-3333

1111.2222.3333

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address

Displays the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the endpoint.

Hostname

Specifies the host name of the endpoint.

Device Category

Indicates the category of the profiled device. For example, Access Points, Computer, Smart Device, VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. phone, and so on.

Device OS Family

Specifies the operating system the device runs on. For example, when the category is Computer, Policy Manager shows a Device OS Family of Windows, Linux, or macOS.

Status

Displays the status of the endpoint:

Unknown

Known client

Unknown client

Disabled client

Profiled

Indicates whether the device has been added to the Policy Manager profile.

Filtering for Specific Devices Using Device Insight Tags

Policy Manager allows you to use Device Insight tags to filter for specific device types, as illustrated in the following example:

Figure 2  Filtering for Devices Using Device Insight Tags

The current list of devices you can use Device Insight tags to filter are as follows:

Apple Mac

Apple smart device, Smart Device

Gaming, Nintendo Gaming

Gaming, Sony Gaming

Kindle, Smart Device

Smart Device

Blackberry, Blackberry smart device, Smart Device

Manually Adding an Endpoint

To manually add an endpoint:

1. From the Configuration > Identity > Endpoints page, click the Add link.

The Add Endpoint page opens.

Figure 3  Add Endpoint Page

2. Specify the Add Endpoint page parameters as described in the following table, then click Save:

Table 2: Add Endpoint Page Parameters

Parameter

Action/Description

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address

Specify the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the endpoint.

NOTE: IEEE Institute of Electrical and Electronics Engineers. has introduced 7 and 9 character length MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Organizational Unique Identifiers (OUIs). The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the part of the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that identifies the network adapter vendor. The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the first three bytes of the six-byte MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  field and is administered by the IEEE Institute of Electrical and Electronics Engineers.. In turn, ClearPass has been enhanced to support these new longer MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs.

Description

Enter a description that provides additional information about the endpoint (recommended).

Status

Specify the client status as:

Known client

Unknown client

Disabled client

You can use the Known client and Unknown client status in role-mapping rules by specifying the Authentication:MacAuth attribute.

You can use the Disabled client status to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from theEndpoint Profiler.

Attributes

Add custom attributes for this endpoint.

Select the Click to add... row to add custom attributes.

You can enter any name in the attribute field. All attributes are of String datatype.

The Value field can also be populated with any string.

Each time you enter a new custom attribute, it is available for selection in the Attribute drop-down list for all endpoints. All attributes entered for an endpoint are available in the role-mapping Rules Editor.

Support for Empty Values for Optional Endpoint Attributes

Policy Manager supports empty values for optional endpoint attributes when they are added through the user interface, an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. import, or the API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.:

When empty optional attributes are added to an endpoint through the user interface at Configuration > Identity > Endpoints, all attribute data types are supported except Boolean, Day, List, and TimeOfDay.

When empty optional attributes are added through an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. import or through the API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software., all data types are supported.

Empty attributes are not valid if the Is Mandatory attribute is set to true.

The EXISTS operator will not work in rule conditions for an attribute of the integer data type if the attribute has empty values. It does, however, work for all other data types.

If the value of an optional endpoint attribute is set to -For-Delete- in the import file, the attribute is marked for delete.

Modifying an Endpoint

Modifying an Endpoint

Configuring the Attributes for the Selected Endpoint

Endpoint Device Fingerprint Details Page

To modify an endpoint:

1. From the Configuration > Identity > Endpoints page, click the endpoint of interest from the list of endpoints.

The Edit Endpoint page opens.

Modifying an Endpoint

Figure 4  Edit Endpoint Page

The Edit Endpoint page parameters are described in the following table:

Table 3: Edit Endpoint Page Parameters

Parameter

Action/Description

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address

Displays the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the endpoint.

NOTE: IEEE Institute of Electrical and Electronics Engineers. has introduced 7 and 9 character length MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Organizational Unique Identifiers (OUIs) in addition to 6-character MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs. The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the part of the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that identifies the actual network adapter vendor. The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the first three bytes of the six-byte MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  field, and is administered by the IEEE Institute of Electrical and Electronics Engineers.. In turn, ClearPass has been enhanced to support these new longer MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs in addition to existing 6-character MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs.

Description

Enter a description that provides additional information about the endpoint (recommended).

Status

Indicates the status of the selected endpoint as one of the following:

Known client

You can use the Known client and Unknown client status in role-mapping rules by applying the Authentication:MacAuth attribute.

Unknown client

Disabled client

You can use the Disabled client status to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from the Endpoint Profiler.

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Vendor

Displays the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. (Organizationally Unique Identifier) information for all endpoints even when no other profiling information is available for an endpoint.

Added by

Displays the name of the admin user ID that added the endpoint.

Online Status

Displays the online status of the endpoint:

Online

Offline

Not Available

Connection Type

Indicates the connection type; for example, Wireless.

If the connection type is not known, the connection type is displayed as Unknown.

Switch IP

Indicates the switch IP address.

Switch Port

Indicates the port on the switch.

IP Address

Displays the IP address that is associated with the endpoint.

Static IP

Indicates whether the IP address of the endpoint is a static IP address (True or False).

Hostname

Displays the host name or the IP address of the endpoint.

Device Category

From the drop-down list, select the device category that the endpoint belongs to.

Device OS Family

Specify the operating system that the endpoint runs on.

Device Name

Select the name of the device from the drop-down list.

Device Insight Tags

Displays the Device Insight tags created on this server.

Device Insight tags are used to group similar devices together (for more information, seeAbout Device Insight ).

Added At

Displays the date and time at which the endpoint was added.

Last Profiled At

Displays the date and time at which the endpoint was added to the Policy Manager Profile.

Profiler Conflict Details

NOTE: The Profiler Conflict Details section is shown when Policy Manager detects a different Device OS Family and/or Device Category than what was previously specified.

Other Category

Indicates the new Device Category that was detected but does not match.

Other Family

Indicates the new Device OS Family that was detected but does not match.

Other Name

Indicates the new MAC Vendor that was detected but does not match.

Resolve Conflict

Select one of the following conflict resolution options:

Ignore this fingerprint: Ignore the new Device Category and/or the Device OS Family and retain the current Category and/or Family.

Use this fingerprint: Use the new Category and/or Family and reject the previously profiled Category and/or Family specified for this device.

Resolve later: Postpone the decision and let the device be in conflict.

Configuring the Attributes for the Selected Endpoint

To configure the endpoint attributes for the selected endpoint:

1. From the Edit Endpoint page, select the Attributes tab.

The Edit Endpoint Attributes tab displays the set of endpoint attributes currently configured on the Policy Manager server.

Figure 5  Endpoint Attributes Currently Configured

2. To add attributes for the selected endpoint, scroll to the bottom of the list, then select Click to add...

A new row is created with a drop-down list in the Attribute column.

3. To add an attribute to the endpoint, select one or more attributes from the drop-down list, then click Save.

JAMF Endpoint Context Server "Group Name" Attribute

For JAMF endpoint context servers, the Group Name endpoint attribute allows a device’s contextual data to be used during session authorization to determine the device’s access.

The Group Name endpoint attribute is dynamically retrieved from the JAMF Endpoint Context Server and made available in the Endpoint attributes list. The information is mapped to comma-separated values of the Group Name attribute.

Figure 6  JAMF Endpoint Context Server "Group Name" Attribute

Airwatch "Group ID" and "Group Name" Endpoint Attributes

The LocationGroupName and LocationGroupID attributes are fetched from an Airwatch server. These attributes are mapped to the corresponding Group Name and Group ID endpoint attributes.

Figure 7  Airwatch "Group ID" and "Group Name" Endpoint Attributes

Airwatch "Compliance" Attribute

The Compliance attribute is fetched from an Airwatch server and made available in the Endpoint attributes list. The values for the Compliance attribute are:

NotAvailable

NonCompliant

Compliant

Viewing the Endpoint Device Fingerprint Details

The information displayed in the Edit Endpoint > Device Fingerprints page varies depending on what type of device is selected and whether an Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on.-based network discovery scan has been run (see Configuring SNMP, SSH, and WMI Credentials).

To obtain the list of processes running on the Windows endpoint:

1. Navigate to Administration > Server Manager > Server Configuration.

The Server Configuration page opens.

2. Click the Cluster-Wide Parameters link.

The Cluster-Wide Parameters page opens.

3. As shown in Figure 8, ensure that the Cluster-Wide parameters Enable Endpoint Port Scans Using Nmap and Enable Endpoint Scan Using WMI are set to True, then click Save (for details on these parameters, see Profiler Parameters).

Figure 8  Cluster-Wide Parameters > Profiler Tab

4. Navigate to the Configuration > Identity > Endpoints page.

5. Click the endpoint of interest from the list of endpoints.

As shown in Figure 9, the Endpoint Fingerprints Details page shows the open ports and services running for the selected Windows endpoint:

Figure 9  Endpoint Device Fingerprint Details Page

6. Additionally, to obtain the list of active and inactive Windows services on the Windows endpoint, Policy Manager Insight must be enabled on the Policy Manager server (for more information, refer to Table 1 : Server Configuration > System Page Parameters in System Page).

Figure 10 shows the Endpoint Fingerprint Details Active Services information:

Figure 10  Endpoint Fingerprint Details with Active and Inactive Services Listed

In addition to the Active Services shown in Figure 10, the Device Fingerprints > Endpoint Fingerprint Details screen includes the following information:

Host Open Ports

Host Services

Inactive Services

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Vendor

Open Ports

Processes

WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. OS Name

Viewing Endpoint Authentication Details

To view the authentication details of an endpoint:

1. From the Configuration > Identity > Endpoints page, select an endpoint by the clicking the corresponding check box.

The Authentication Records button is now enabled.

2. Click the Authentication Records button.

The Endpoint Authentication Details page opens.

Figure 11  Endpoint Authentication Details

Performing Bulk Updates of Endpoint Attributes

You can perform bulk updates of endpoint attributes, either for a single endpoint or for multiple endpoints simultaneously.

To perform bulk updates of endpoint attributes:

1. From the Configuration > Identity > Endpoints page, select one or more endpoints by the clicking the corresponding check boxes.

The Bulk Update button is now enabled.

 

In network discovery, when endpoints do not have a MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, Policy Manager creates MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses for them that include the prefix xa.

2. Click the Bulk Update button.

The Bulk Update Attributes dialog opens.

Figure 12  Configuring Bulk Update Attributes

3. To select an attribute you want to update, select Click to add, select the attribute from the Attribute list, and then specify its Value.

4. Repeat the selection process for all the attributes you want to update, then click Update.

The multiple attributes that were configured will be updated on all the selected endpoints at once.

Performing Bulk Deletions of Endpoint Attributes

Policy Manager supports bulk deletion of endpoint attributes.

To use this feature:

1. Navigate to Configuration > Identity > Endpoints.

The Endpoints page opens.

Figure 13  Endpoints Page and Bulk Delete Button

2. Select the check box(es) of one or more endpoints in the list from which you wish to delete multiple attributes.

3. Click the Bulk Delete button.

The Bulk Delete Attributes dialog is displayed.

Figure 14  Endpoints: Bulk Delete Attributes Dialog

4. To select the endpoint attributes to be deleted, select the Click to add link.

Figure 15  Selecting Endpoint Attributes for Bulk Deletion

5. From the Attribute drop-down, select the attributes (one attribute per line) that you wish to delete from the specified endpoints, then click Delete.

Triggering Actions to Be Performed on Endpoints

You can trigger endpoint actions for a single endpoint or for multiple endpoints simultaneously. To trigger actions that are to be performed on selected endpoints:

1. From the Configuration > Identity > Endpoints page, select one or more endpoints from the Endpoints page by clicking the corresponding check boxes. The Trigger Server Action button is now enabled.

2. Click the Trigger Server Action button. The Trigger Server Action page opens.

Figure 16  Endpoints Trigger Server Action Page

3. Specify the Trigger Server Action page parameters as described in the following table, then click Start Action.

Table 4: Trigger Server Action Page Parameters

Parameter

Action/Description

Server Action

Select the server action from the drop-down list. The available server actions are as follows:

Check Point Login - AD User

Check Point Login - Guest User

Check Point Logout

Fortinet Login

Fortinet Logout

Handle AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. Time Sharing

Infoblox Login

Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. Scan

OnDemand Endpoint Scan

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Scan

Store Attributes in zone cache

NOTE: Starting with Policy Manager 6.10.2, the Policy Manager server no longer needs to have Device Insight integration disabled in order to perform an OnDemand Endpont Scan. In Policy Manager 6.10.0 and 6.10.1, when Device Insight Integration is enabled, the OnDemand EndPoint Scan option is not available. (for more information, see Device Insight Integration Page).

Context Server

Enter a valid context server name. Enter an IP address or a domain name.

Server Type

Indicates the server type specified when the server was configured (for example, Generic HTTP Context Server).

Action Description

Describes the action that will take place on the endpoint (for example, "Inform Check Point that user logged in.").

Once the action is complete, a popup window displays the results of the action. The following image shows the results of an Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scan.

Figure 17  Results of a Trigger Server Action (Nmap Scan)

Updating Device Fingerprints From a Hosted Portal

You can update device fingerprints for a single endpoint or for multiple endpoints simultaneously. If you configure custom fingerprints, the custom fingerprint always takes precedence over the dynamically pushed system fingerprint.

To update device fingerprints from a hosted portal:

1. From the Configuration > Identity > Endpoints page, select one or more endpoints by clicking the corresponding check boxes. Selecting an endpoint enables the Update Fingerprint button.

2. Click the Update Fingerprint button.

3. The Update Device Fingerprint page opens, displaying two update types, Override fingerprint and Add fingerprint rule.

Override Fingerprint Option

By default, the Update Type is set to Override fingerprint (see Figure 18).

Figure 18  Update Device Fingerprint Page: Override Fingerprint

 

When a new fingerprint override rule is defined, an entry is added to the Audit Viewer.

Specify the Update Device Fingerprint page parameters as described in the following table, then click Save:

Table 5: Update Device Fingerprint Parameters

Parameter

Action/Description

Update Type

Select one of the following update types:

Override fingerprint: Update the device profile details (device category, device OS family, and device name) for the selected endpoint.

Add fingerprint rule: Update the device profile with a new fingerprint rule. This information is displayed at the bottom of the Update Device Fingerprint page, as shown in Figure 19.

Reset Fingerprint: Reset fingerprint data for the selected endpoints.

Specify Device Profile Details

Device Category

Select the category the profiled device belongs to.

Device OS Family

Select the operating system configured on the device.

Device Name

Enter the name of the device or select the name of the device from the drop-down list.

Add Fingerprint Rule Option

To add a fingerprint rule:

1. In the Update Device Fingerprint screen, set the Update Type field to Add Fingerprint Rule. The Device fingerprint selected from section appears, as shown in Figure 19.

Figure 19  Update Device Fingerprint Page: Add Fingerprint Rule

2. In the Specify device classification details section, select device details as described in Table 5.

3. In the Device fingerprint selected from section, Select the fingerprint rule you want to edit. You can edit the following components of each fingerprint rule:

Name: Click the drop-down menu and select the name of a device fingerprint type.

Operator: Select from the options Contains all, Contains and Not Contains to allow the specified values to be included in or excluded from the rule.

Value: Add values to or delete values from the selected rule.

4. Click Save.

 

When a new fingerprint rule is defined, an entry is added to the Audit Viewer.