Access Control

After creating the Local Profiler Authorization Server, you can use device attributes from the Profiler in the role mapping rules for both MAC Authorization and 802.1X realms for policy enforcement.

Spoof Detection

The profiler allows a mechanism to suspect MAC address spoofing, provided MAC spoofing results in a profile change of the device. Profile change is indicated by the previous_os and previous_category fields.

For example, MAC address spoofing can be detected if an endpoint was a printer in the stored profile and the latest profile indicates the same device as a Linux endpoint.

To detect spoof for a specific device, use the following Regexp in role mapping rule:
deviceAttr.previous_os != '' AND (deviceAttr.previous_os = 'Cisco VoIP' AND deviceAttr.os != 'Cisco VoIP')

Use the following Regexp, which is common for all Operating Systems:
deviceAttr.previous_os != '' AND (deviceAttr.previous_os != deviceAttr.os)

This feature works only when the actual device is profiled with information of OS and categories before spoofed device connects and is profiled. Mac spoof suspect may not work when same OS or Category information is identified for original and spoofed device. Mac spoof suspect may not work when two different collectors collect valid information, but there is no classification change because of priority order of the collectors. The Priority of the collectors in order follows, MDM, Device Attribute Server, WMI, SSH, SNMP/SNMP (Host), User Agent, DHCP, SMB, NMAP, TCP.

Profiler can detect a device, which was previously scanned and profiled but cannot be scanned anymore. The number of failed scanned attempts are notified for each device in the device discovery report. Administrator can configure to send an e-mail notification based on configured interval, for devices, which are assigned a group based on the number of failed scan attempts.

  1. Create a profiler group with rules based on scan failure count per collector. See, Profile Groups. Profile group criteria is applicable for active collectors, NMAP, SSH, SNMP(Host), WMI.
    For example: For NMAP, use rule: nmap.scanFailedCount ge "5". Use "and" operator to include rules for multiple collectors.
    Use "gt" for >, "lt" for <, "ge" for >=, and "le" for <=, as shown in example.
  2. On the DDR page, create a custom filter by selecting the group name under Advanced Filters.
  3. Create an email report scheduler and select the pre-defined filter to generate Device Discovery Report based on this filter. See, Profiler Report Scheduling.