Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Adding and Modifying Endpoints
Viewing the List of Authentication Endpoints
Policy Manager lists all authenticated endpoints. An endpoint device is an Internet-capable hardware device on a TCP/IP Transmission Control Protocol/ Internet Protocol. TCP/IP is the basic communication language or protocol of the Internet. network (for example, laptops, smart phones, and tablets).
To access this page, navigate to Configuration > Identity > Endpoints.
Figure 1 Endpoints Page
Parameter |
Action/Description |
Filter |
You can choose to select or .Then you can specify from one to three device filters to refine the endpoint information you wish to view. Available filter types include: MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address, Hostname, IPv4 Address, Policy Manager allows searching for a MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address in any of the known formats: 112233AABBCC 11:22:33:aa:bb:cc 11-22-33-AA-BB-CC 1111-2222-3333 1111.2222.3333 |
Displays the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the endpoint. |
|
Hostname |
Specifies the host name of the endpoint. |
Device Category |
Indicates the category of the profiled device. For example, Access Points, Computer, Smart Device, VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. phone, and so on. |
Device OS Family |
Specifies the operating system the device runs on. For example, when the category is Computer, Policy Manager shows a Device OS Family of Windows, Linux, or macOS. |
Status |
Displays the status of the endpoint: Unknown Known client Unknown client Disabled client |
Profiled |
Indicates whether the device has been added to the Policy Manager profile. |
Filtering for Specific Devices Using Device Insight Tags
Policy Manager allows you to use Device Insight tags to filter for specific device types, as illustrated in the following example:
Figure 2 Filtering for Devices Using Device Insight Tags
The current list of devices you can use Device Insight tags to filter are as follows:
Apple Mac
Apple smart device, Smart Device
Gaming, Nintendo Gaming
Gaming, Sony Gaming
Kindle, Smart Device
Smart Device
Blackberry, Blackberry smart device, Smart Device
Manually Adding an Endpoint
To manually add an endpoint:
1. From the > > page, click the Add link.
The
page opens.Figure 3 Add Endpoint Page
2. Specify the page parameters as described in the following table, then click :
Parameter |
Action/Description |
Specify the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the endpoint. IEEE Institute of Electrical and Electronics Engineers. has introduced 7 and 9 character length MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Organizational Unique Identifiers (OUIs). The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the part of the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that identifies the network adapter vendor. The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the first three bytes of the six-byte MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. field and is administered by the IEEE Institute of Electrical and Electronics Engineers.. In turn, ClearPass has been enhanced to support these new longer MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs. |
|
Description |
Enter a description that provides additional information about the endpoint (recommended). |
Status |
Specify the client status as: Known client Unknown client Disabled client You can use the and status in role-mapping rules by specifying the attribute.You can use the status to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from the . |
Attributes |
Add custom attributes for this endpoint. Select the Click to add... row to add custom attributes. You can enter any name in the attribute field. All attributes are of String datatype. The Value field can also be populated with any string. Each time you enter a new custom attribute, it is available for selection in the drop-down list for all endpoints. All attributes entered for an endpoint are available in the role-mapping Rules Editor. |
Support for Empty Values for Optional Endpoint Attributes
Policy Manager supports empty values for optional endpoint attributes when they are added through the user interface, an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. import, or the API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.:
When empty optional attributes are added to an endpoint through the user interface at Boolean, Day, List, and TimeOfDay.
> > , all attribute data types are supported exceptWhen empty optional attributes are added through an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. import or through the API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software., all data types are supported.
Empty attributes are not valid if the
attribute is set to .The EXISTS operator will not work in rule conditions for an attribute of the integer data type if the attribute has empty values. It does, however, work for all other data types.
If the value of an optional endpoint attribute is set to
in the import file, the attribute is marked for delete.Modifying an Endpoint
Configuring the Attributes for the Selected Endpoint
Endpoint Device Fingerprint Details Page
To modify an endpoint:
1. From the > > page, click the endpoint of interest from the list of endpoints.
The Edit Endpoint page opens.
Modifying an Endpoint
Figure 4 Edit Endpoint Page
The
page parameters are described in the following table:
Parameter |
Action/Description |
Displays the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the endpoint. IEEE Institute of Electrical and Electronics Engineers. has introduced 7 and 9 character length MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Organizational Unique Identifiers (OUIs) in addition to 6-character MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs. The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the part of the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that identifies the actual network adapter vendor. The OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. is the first three bytes of the six-byte MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. field, and is administered by the IEEE Institute of Electrical and Electronics Engineers.. In turn, ClearPass has been enhanced to support these new longer MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs in addition to existing 6-character MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs. |
|
Description |
Enter a description that provides additional information about the endpoint (recommended). |
Status |
Indicates the status of the selected endpoint as one of the following:
You can use the client and client status in role-mapping rules by applying the attribute.
You can use the status to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from the Endpoint Profiler. |
Displays the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. (Organizationally Unique Identifier) information for all endpoints even when no other profiling information is available for an endpoint. |
|
Added by |
Displays the name of the admin user ID that added the endpoint. |
Online Status |
Displays the online status of the endpoint:
|
Connection Type |
Indicates the connection type; for example, .If the connection type is not known, the connection type is displayed as Unknown. |
Switch IP |
Indicates the switch IP address. |
Switch Port |
Indicates the port on the switch. |
IP Address |
Displays the IP address that is associated with the endpoint. |
Static IP |
Indicates whether the IP address of the endpoint is a static IP address ( or ). |
Hostname |
Displays the host name or the IP address of the endpoint. |
Device Category |
From the drop-down list, select the device category that the endpoint belongs to. |
Device OS Family |
Specify the operating system that the endpoint runs on. |
Device Name |
Select the name of the device from the drop-down list. |
Device Insight Tags |
Displays the Device Insight tags created on this server. Device Insight tags are used to group similar devices together (for more information, seeAbout Device Insight ). |
Added At |
Displays the date and time at which the endpoint was added. |
Last Profiled At |
Displays the date and time at which the endpoint was added to the Policy Manager Profile. |
The Profiler Conflict Details section is shown when Policy Manager detects a different Device OS Family and/or Device Category than what was previously specified. |
|
Other Category |
Indicates the new Device Category that was detected but does not match. |
Other Family |
Indicates the new Device OS Family that was detected but does not match. |
Other Name |
Indicates the new MAC Vendor that was detected but does not match. |
Resolve Conflict |
Select one of the following conflict resolution options: Ignore this fingerprint: Ignore the new Device Category and/or the Device OS Family and retain the current Category and/or Family. Use this fingerprint: Use the new Category and/or Family and reject the previously profiled Category and/or Family specified for this device. Resolve later: Postpone the decision and let the device be in conflict. |
Configuring the Attributes for the Selected Endpoint
To configure the endpoint attributes for the selected endpoint:
1. From the page, select the tab.
The Policy Manager server.
tab displays the set of endpoint attributes currently configured on theFigure 5 Endpoint Attributes Currently Configured
2. To add attributes for the selected endpoint, scroll to the bottom of the list, then select
A new row is created with a drop-down list in the
column.3. To add an to the endpoint, select one or more attributes from the drop-down list, then click .
JAMF Endpoint Context Server "Group Name" Attribute
For JAMF endpoint context servers, the
endpoint attribute allows a device’s contextual data to be used during session authorization to determine the device’s access.The
endpoint attribute is dynamically retrieved from the JAMF Endpoint Context Server and made available in the Endpoint attributes list. The information is mapped to comma-separated values of the attribute.Figure 6 JAMF Endpoint Context Server "Group Name" Attribute
Airwatch "Group ID" and "Group Name" Endpoint Attributes
The
and attributes are fetched from an Airwatch server. These attributes are mapped to the corresponding and endpoint attributes.Figure 7 Airwatch "Group ID" and "Group Name" Endpoint Attributes
Airwatch "Compliance" Attribute
The
attribute is fetched from an Airwatch server and made available in the Endpoint attributes list. The values for the attribute are:
Viewing the Endpoint Device Fingerprint Details
The information displayed in the Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on.-based network discovery scan has been run (see Configuring SNMP, SSH, and WMI Credentials).
> page varies depending on what type of device is selected and whether anTo obtain the list of processes running on the Windows endpoint:
1. Navigate to > > .
The
page opens.2. Click the link.
The
page opens.3. As shown in Figure 8, ensure that the Cluster-Wide parameters Enable Endpoint Port Scans Using Nmap and Enable Endpoint Scan Using WMI are set to , then click (for details on these parameters, see Profiler Parameters).
Figure 8 Cluster-Wide Parameters > Profiler Tab
4. Navigate to the > > page.
5. Click the endpoint of interest from the list of endpoints.
As shown in Figure 9, the page shows the open ports and services running for the selected Windows endpoint:
Figure 9 Endpoint Device Fingerprint Details Page
6. Additionally, to obtain the list of active and inactive Windows services on the Windows endpoint, Policy Manager Insight must be enabled on the Policy Manager server (for more information, refer to Table 1 : Server Configuration > System Page Parameters in System Page).
Figure 10 shows the Active Services information:
Figure 10 Endpoint Fingerprint Details with Active and Inactive Services Listed
In addition to the Figure 10, the > screen includes the following information:
shown inHost Open Ports
Host Services
Inactive Services
Open Ports
Processes
Viewing Endpoint Authentication Details
To view the authentication details of an endpoint:
1. From the > > page, select an endpoint by the clicking the corresponding check box.
The Authentication Records button is now enabled.
2. Click the Authentication Records button.
The Endpoint Authentication Details page opens.
Figure 11 Endpoint Authentication Details
Performing Bulk Updates of Endpoint Attributes
You can perform bulk updates of endpoint attributes, either for a single endpoint or for multiple endpoints simultaneously.
To perform bulk updates of endpoint attributes:
1. From the > > page, select one or more endpoints by the clicking the corresponding check boxes.
The Bulk Update button is now enabled.
|
In network discovery, when endpoints do not have a MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, Policy Manager creates MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses for them that include the prefix . |
2. Click the Bulk Update button.
The Bulk Update Attributes dialog opens.
Figure 12 Configuring Bulk Update Attributes
3. To select an attribute you want to update, select , select the attribute from the list, and then specify its .
4. Repeat the selection process for all the attributes you want to update, then click .
The multiple attributes that were configured will be updated on all the selected endpoints at once.
Performing Bulk Deletions of Endpoint Attributes
Policy Manager supports bulk deletion of endpoint attributes.
To use this feature:
1. Navigate to > > .
The
page opens.Figure 13 Endpoints Page and Bulk Delete Button
2. Select the check box(es) of one or more endpoints in the list from which you wish to delete multiple attributes.
3. Click the button.
The
dialog is displayed.Figure 14 Endpoints: Bulk Delete Attributes Dialog
4. To select the endpoint attributes to be deleted, select the link.
Figure 15 Selecting Endpoint Attributes for Bulk Deletion
5. From the drop-down, select the attributes (one attribute per line) that you wish to delete from the specified endpoints, then click .
Triggering Actions to Be Performed on Endpoints
You can trigger endpoint actions for a single endpoint or for multiple endpoints simultaneously. To trigger actions that are to be performed on selected endpoints:
1. From the > > page, select one or more endpoints from the page by clicking the corresponding check boxes. The Trigger Server Action button is now enabled.
2. Click the Trigger Server Action button. The page opens.
Figure 16 Endpoints Trigger Server Action Page
3. Specify the page parameters as described in the following table, then click .
Parameter |
Action/Description |
Server Action |
Select the server action from the drop-down list. The available server actions are as follows: Check Point Login - AD User Check Point Login - Guest User Check Point Logout Fortinet Login Fortinet Logout Infoblox Login OnDemand Endpoint Scan Store Attributes in zone cache Starting with Policy Manager 6.10.2, the Policy Manager server no longer needs to have Device Insight integration disabled in order to perform an OnDemand Endpont Scan. In Policy Manager 6.10.0 and 6.10.1, when is enabled, the OnDemand EndPoint Scan option is not available. (for more information, see Device Insight Integration Page). |
Context Server |
Enter a valid context server name. Enter an IP address or a domain name. |
Server Type |
Indicates the server type specified when the server was configured (for example, Generic HTTP Context Server). |
Action Description |
Describes the action that will take place on the endpoint (for example, "Inform Check Point that user logged in."). |
Once the action is complete, a popup window displays the results of the action. The following image shows the results of an Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scan.
Figure 17 Results of a Trigger Server Action (Nmap Scan)
Updating Device Fingerprints From a Hosted Portal
You can update device fingerprints for a single endpoint or for multiple endpoints simultaneously. If you configure custom fingerprints, the custom fingerprint always takes precedence over the dynamically pushed system fingerprint.
To update device fingerprints from a hosted portal:
1. From the > > page, select one or more endpoints by clicking the corresponding check boxes. Selecting an endpoint enables the button.
2. Click the Update Fingerprint button.
3. The page opens, displaying two update types, and .
Override Fingerprint Option
By default, the Figure 18).
is set to (seeFigure 18 Update Device Fingerprint Page: Override Fingerprint
|
When a new fingerprint override rule is defined, an entry is added to the Audit Viewer. |
Specify the
page parameters as described in the following table, then click :
Parameter |
Action/Description |
Update Type |
Select one of the following update types: : Update the device profile details (device category, device OS family, and device name) for the selected endpoint. : Update the device profile with a new fingerprint rule. This information is displayed at the bottom of the page, as shown in Reset Fingerprint: Reset fingerprint data for the selected endpoints. |
|
|
Device Category |
Select the category the profiled device belongs to. |
Device OS Family |
Select the operating system configured on the device. |
Device Name |
Enter the name of the device or select the name of the device from the drop-down list. |
Add Fingerprint Rule Option
To add a fingerprint rule:
1. In the screen, set the Update Type field to . The section appears, as shown in Figure 19.
Figure 19 Update Device Fingerprint Page: Add Fingerprint Rule
2. In the section, select device details as described in Table 5.
3. In the section, Select the fingerprint rule you want to edit. You can edit the following components of each fingerprint rule:
: Click the drop-down menu and select the name of a device fingerprint type.
: Select from the options , and to allow the specified values to be included in or excluded from the rule.
: Add values to or delete values from the selected rule.
4. Click .
|
When a new fingerprint rule is defined, an entry is added to the Audit Viewer. |