Technical Tip: Troubleshooting rogue not matching any device profiles

cmaheu · ‎06-13-2019

Description

A rogue connected to the network does not match any of the configured Device Profiling Rules.

Scope

Version: 8.x, 9.x

Solution

1) Navigate to the Hosts View

8.x: Hosts > Host View

9.x: Users & Hosts > Hosts

2) Search for the MAC address and verify the rogue's adapter record status shows online (green adapter icon).

2a) If adapter record shows offline: Check switch or wireless connection. If device is confirmed to be online, see related KB articles

2b) If adapter record shows online: Right click on Host record and select Show Events.

"Invalid Physical Address": Corresponding Vendor OUI is not in the database. For troubleshooting steps, see related KB article Technical Tip: Host fails to register or multiple host records are created.

"Device Profiling Rule Missing Data": Device Profiler cannot compare a rogue against a rule because there is not enough information about the rogue. For troubleshooting steps, see related KB article Technical Note: Troubleshooting 'Device Profiling Rule Missing Data' events.

3) After making corrections, test the rogue against the desired rule. Search for the MAC address in the Adapters View.

8.x: Hosts > Adapter View

9.x: Users & Hosts > Adapters

4) Right click on the adapter record and select Test Device Profiling Rule.

5) Once the rule matches, re-run the rogue host evaluation.

8.x: Hosts > Device Profiling Rules and click Run.

9.x: Users & Hosts > Device Profiling Rules and click Run.