What is the limitation in ClearPass for DHCP based profiling?
Environment All ClearPass Versions.
Profiler is a feature in ClearPass Policy Manager that automatically classifies endpoints using attributes obtained from software components called Collectors. It can be used to implement access controls based on the type of the device and the identity of the user. It consists of Device Category, Device OS Family, Device Name, IP Address, Hostname, MAC Address. DHCP is one of the Collectors used to send the device attributes to Profile.
ClearPass Policy Manager needs to be configured as an IP Helper on the switches and NAS devices, so that it can receive DHCP attributes such as option 55, option 60 from DISCOVER, REQUEST and INFORM packets. These DHCP packets are decoded by ClearPass Policy Manager to arrive at the device category, family, and name, hostname and IP address.
However ClearPass Policy Manager will accept only the first DHCP fingerprint received for a particular MAC Address. All the subsequent DHCP fingerprint packets received in an interval of 5 minutes from the first DHCP fingerprint would be ignored. This 5 minute interval is as per product design in ClearPass Policy Manager.
This is done for performance reasons to avoid multiple re-profiling and DB writes during 5 minute interval for same MAC address. This can easily happen if DHCP relay is pointed to multiple ClearPass Policy Manager nodes for redundancy reasons and the nodes end up updating Profiler with the same fingerprint for the same MAC address in a short interval.