New Contributor

ArubaInstant and Clearpass


We are trying to get get ArubaInstant to pass the device-type through to Clearpass.


At the moment we have 802.1x authenticaiton working with Clearpass as the external radius server. The only thing we find out is how to get the ArubaInstant (IAP 225) to pass the Radius:Aruba:Aruba-Device-Type in the Radius request.


Below is the top of the Radius Request. 



Guru Elite

Re: ArubaInstant and Clearpass

You will likely not get the device type on Instant. You should leverage ClearPass profiling capabilities. 

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: ArubaInstant and Clearpass

Any documentation on how to setup the profiling on Clearpass ? Essentially we just want to determine the device is either iOS or Android and do something based on that


Guru Elite

Re: ArubaInstant and Clearpass

Simply add a DHCP helper address pointed to ClearPass and enable profiling in the server configuration. 

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
New Contributor

Re: ArubaInstant and Clearpass

Well that just blew up the instant ap. I had to ssh from another AP to the virtual controller and wipe that dhcp config.


What we are trying to do is -

- device connects to SECURE

- based on the device type we want to push it to vlan 100 or vlan 101 (example only).


The setup we have is a centralised DHCP server (see below)


At the moment we have them all on vlan 100.


Any other ideas on how we can achieve this ?



New Contributor

Re: ArubaInstant and Clearpass

802.1X is a layer 2 authentication method. DHCP Fingerprinting is a layer 3 task, DHCP collector will profile the device by looking into DHCP Discover, request packet.


Before ClearPass profile the device, policy server would have assigned the policy, client would have got VLAN.


To over come this, you could define a policy in such a way that. When device connect to 802.1x SSID first time and authenticate succesfully(client will get an IP address and it will be profiled), bounce its interface and force client to reauthenticate.


Next time time when he connect to Secure SSID(attached enforcement policy as an example), he will get a appropreate VLAN based on device type and policy configured. (ClearPass would have collected device information when client got connected first time)



You better contact Aruba ClearPass system engineer to design policy based on your requirement.


Search Airheads
Showing results for 
Search instead for 
Did you mean: