Security

Reply
New Contributor
Posts: 3
Registered: ‎05-22-2016

ArubaInstant and Clearpass

Hi,

We are trying to get get ArubaInstant to pass the device-type through to Clearpass.

 

At the moment we have 802.1x authenticaiton working with Clearpass as the external radius server. The only thing we find out is how to get the ArubaInstant (IAP 225) to pass the Radius:Aruba:Aruba-Device-Type in the Radius request.

 

Below is the top of the Radius Request. 

Radius:Aruba:Aruba-AP-Groupinstant-C6:A1:14
Radius:Aruba:Aruba-Auth-Survivabilityenabled
Radius:Aruba:Aruba-Essid-NameMPSCSECURE
Radius:Aruba:Aruba-Location-Id84:d4:7e:c6:7c:2e
Radius:IETF:Called-Station-Id84d47ec67c2e
Radius:IETF:Calling-Station-Idb4ae2b208049
Radius:IETF:Framed-MTU1100

 

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ArubaInstant and Clearpass

You will likely not get the device type on Instant. You should leverage ClearPass profiling capabilities. 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎05-22-2016

Re: ArubaInstant and Clearpass

Any documentation on how to setup the profiling on Clearpass ? Essentially we just want to determine the device is either iOS or Android and do something based on that

 

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ArubaInstant and Clearpass

Simply add a DHCP helper address pointed to ClearPass and enable profiling in the server configuration. 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎05-22-2016

Re: ArubaInstant and Clearpass

Well that just blew up the instant ap. I had to ssh from another AP to the virtual controller and wipe that dhcp config.

 

What we are trying to do is -

- device connects to SECURE

- based on the device type we want to push it to vlan 100 or vlan 101 (example only).

 

The setup we have is a centralised DHCP server (see below)

 

At the moment we have them all on vlan 100.

 

Any other ideas on how we can achieve this ?

 

Config.png

New Contributor
Posts: 4
Registered: ‎04-19-2016

Re: ArubaInstant and Clearpass

802.1X is a layer 2 authentication method. DHCP Fingerprinting is a layer 3 task, DHCP collector will profile the device by looking into DHCP Discover, request packet.

 

Before ClearPass profile the device, policy server would have assigned the policy, client would have got VLAN.

 

To over come this, you could define a policy in such a way that. When device connect to 802.1x SSID first time and authenticate succesfully(client will get an IP address and it will be profiled), bounce its interface and force client to reauthenticate.

 

Next time time when he connect to Secure SSID(attached enforcement policy as an example), he will get a appropreate VLAN based on device type and policy configured. (ClearPass would have collected device information when client got connected first time)

 

 

You better contact Aruba ClearPass system engineer to design policy based on your requirement.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: