Security

Hi,

We are trying to get get ArubaInstant to pass the device-type through to Clearpass.

At the moment we have 802.1x authenticaiton working with Clearpass as the external radius server. The only thing we find out is how to get the ArubaInstant (IAP 225) to pass the Radius:Aruba:Aruba-Device-Type in the Radius request.

Below is the top of the Radius Request. 

Any documentation on how to setup the profiling on Clearpass ? Essentially we just want to determine the device is either iOS or Android and do something based on that

Well that just blew up the instant ap. I had to ssh from another AP to the virtual controller and wipe that dhcp config.

What we are trying to do is -

- device connects to SECURE

- based on the device type we want to push it to vlan 100 or vlan 101 (example only).

The setup we have is a centralised DHCP server (see below)

At the moment we have them all on vlan 100.

Any other ideas on how we can achieve this ?

802.1X is a layer 2 authentication method. DHCP Fingerprinting is a layer 3 task, DHCP collector will profile the device by looking into DHCP Discover, request packet.

Before ClearPass profile the device, policy server would have assigned the policy, client would have got VLAN.

To over come this, you could define a policy in such a way that. When device connect to 802.1x SSID first time and authenticate succesfully(client will get an IP address and it will be profiled), bounce its interface and force client to reauthenticate.

Next time time when he connect to Secure SSID(attached enforcement policy as an example), he will get a appropreate VLAN based on device type and policy configured. (ClearPass would have collected device information when client got connected first time)

You better contact Aruba ClearPass system engineer to design policy based on your requirement.

Attachment(s)

ClearPass Profiling TechNote.pdf   1.76 MB 1 version