HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to identify and classify

endpoints on the network, enabling granular access control based on device type, OS, or other

attributes. CPPM supports both passive and active profiling methods.

Option C, "CPPM can analyze settings such as TTL and time window size in endpoints' TCP traffic in

order to fingerprint the OS," is correct. TCP fingerprinting is a passive profiling method used by

CPPM. It involves analyzing TCP packet headers, such as the Time To Live (TTL) value and TCP window

size, which vary between operating systems (e.g., Windows, Linux, macOS). CPPM captures this

traffic (e.g., via mirrored traffic from a switch or controller) and matches the TCP attributes against its

fingerprint database to identify the OS of the endpoint.

Option A, "CPPM can use Wireshark to actively probe devices, analyze their traffic patterns, and

construct an endpoint profile," is incorrect. CPPM does not use Wireshark for profiling; Wireshark is a

third-party packet analysis tool. CPPM has its own built-in profiling engine and does not rely on

external tools like Wireshark for active probing.

Option B, "CPPM can use SNMP to configure Aruba switches and mobility devices to mirror client

traffic to CPPM for analysis," is incorrect. While CPPM can receive mirrored traffic for profiling (e.g.,

via SPAN or mirror ports), it does not use SNMP to configure the mirroring. The configuration of

traffic mirroring is typically done manually on the switch or controller (e.g., using a datapath mirror

on an MC), not via SNMP by CPPM.

Option D, "CPPM can analyze settings such as TCP/UDP ports used for HTTP, DHCP, and DNS in

endpoints' traffic to fingerprint the OS," is incorrect. While CPPM does analyze HTTP, DHCP, and DNS

traffic for profiling, it does not fingerprint the OS based on TCP/UDP ports. Instead, it uses attributes

like DHCP Option 55 (for DHCP fingerprinting) or HTTP User-Agent strings (for HTTP fingerprinting) to

identify devices, not the ports themselves.

The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states:

"ClearPass supports TCP fingerprinting as a passive profiling method to identify the operating system

of endpoints. By analyzing TCP packet headers, such as the Time To Live (TTL) value and TCP window

size, ClearPass can fingerprint the OS of a device. For example, Windows devices typically have a TTL

of 128, while Linux devices often have a TTL of 64. These attributes are matched against ClearPass’s

fingerprint database to classify the device." (Page 248, TCP Fingerprinting Section)

Additionally, the ClearPass Device Insight Data Sheet notes:

"ClearPass uses passive profiling techniques like TCP fingerprinting to identify device operating

systems. By examining TCP attributes such as TTL and window size, ClearPass can accurately

determine whether a device is running Windows, Linux, macOS, or another OS, enabling precise

policy enforcement." (Page 3, Profiling Methods Section)

:

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, TCP Fingerprinting Section, Page

248.

ClearPass Device Insight Data Sheet, Profiling Methods Section, Page 3.

===========