Reset Search
 

 

Article

KB44286 - How does a new managed device authenticate when using Profiler? The answer is remediation.

« Go Back

Information

 
Last Modified Date10/11/2019 7:04 PM
Synopsis
For the purpose of this KB a “new device” is defined as a managed device that prior to attempting an authentication, had no profile.  Also for the purpose of this KB a “managed” device is a user’s endpoint, a computer or laptop they are attempting to access the network with.
 
Problem or Goal
The goal of this KB is to provide an understanding of the recommended process for authenticating a new 802.1x device and what to expect.
 
Cause
Solution
This KB assumes that the PPS Profiler has been successfully deployed and that many, if not all collectors are used. The KB continues to assume that the administrator desires the user to be successfully mapped to a user role that requires some device attributes retrieved by the profiler once the device profile is completed.

Process flow: A wired or wireless 802.1x connection with or without the Pulse Desktop Client
 
  1. User connects their device to the network via an 802.1x enabled NAS.
  2. User provides credentials and authenticates to a PPS realm, but has not been assigned an IP address, as authorization is still in progress.
    1. At this point of the connection process the profiler now has the mac address of the device the user is connecting with. The mac address is enough for the profiler to create an entry in the device discovery report (DDR) and from the mac address OUI the device’s manufacturer is determined and added to the DDR entry.
  3. Though the user (or computer account) authenticated with valid credentials and has authenticated successfully they are unable to be mapped to any role that requires profiler derived device attributes.
    1. The user should be mapped to a remediation role with an associated restricted VLAN. The PPS needs to be able to reach this VLAN so that the user's computer can be scanned and profiled successfully.
  4. User is assigned to a remediation role and associated VLAN, the user’s device requests an IP address.
    1. Profiler uses the DHCP request packet to further profile the endpoint, the device OS, category, and IP information is added to the profile
    2. Now that the endpoint has an IP address NMAP immediately scans the device, and adds port information to the profile
    3. If the OS is determine to be Windows the WMI connector attempts to contact the device and collect more information, and so on……
    4. Depending on the type of device other collectors can be used.
  5. The Profiler maintains session information for the connected device. The Profiler will trigger a role evaluation every time a device attribute in the profile is changed.
  6. If the user qualifies for another role or roles they will be assigned to the user, and any VLAN associated with it.
    1. If the connection is with a native supplicant and a new vlan is assigned, it may take a moment for the OS to perform a DHCP discovery and obtain an address for the new vlan.
    2. If the Pulse client is in use, the change in roles will be communicated to the Pulse client, and the client will reauthenticate. This causes the IP to be released and a new one assigned.

Note: What I have outlined above is just a summary of the over all process. I've excluded mention of host checker or enforcers so simplify the process. The use of host checker and enforcers in addition to profiler is recommended.
 
Related Links
Attachment 1 
Created ByBrian Pimentel

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255