07-26-2015 02:42 AM
I set up CPPM to work with Juniper EX switches to enforce vlan, I used the aes.arubanetworks.com solution and it works fine. For printers, I defined a role called 'company printers' and made a role mapping with (Authorization:[Endpoints Repository]:Category EQUALS Printer) role name company printer. On my wired enforcement policy I added a rule (Tips:Role EQUALS company printers) action "printers vlan" to push back the printers vlan to the EX switch.
Here is what I'm not sure about:
In order for a device (printer) to be profiled, it would need to -at least- request a DHCP address. After that, my role mapping can read a device category and enforce a role. Is this at all true? without manually adding my printers to the endpoint database, is there any other way to allow a printer to be profiled without allowing it to the network? should I allow all devices in (to be profiled) and then enforce my policy?
Any input is Highly appreciated.
07-26-2015 06:40 AM
07-26-2015 12:07 PM
I was looking at the profiler on the service and it asking me to select an action! should I chose Juniper session time out since I'm working on juniper switches? and what will that session time out do?
07-27-2015 08:55 PM
So I got the profiler working but here is the issue that I'm facing:
aruba APs connected to the Juniper switches aren't being allowed into the switch. The mac auth service I created looks at the mac OUI and would push a vlan back to the switch but the aren't passing the check. Any clue on how to get this working?
07-27-2015 10:08 PM
Before it use to give me this error:
|RADIUS||[Endpoints Repository] - localhost: User not found.|
MAC_AUTH: No password in request. Not attempting MAC authentication
Cannot select appropriate authentication method
So I added EAP-MD5 as an auth method and now it looks like it is working as follow:
AP comes in get in the Endpoints DB, it reboots and comes back with OUI of Aruba Networks and CPPM will send access points vlan and Juniper terminate session, APs reboots and comes back with OS Family Aruba and Category of access point so CPPM will send an AP vlan to the switch. This is working great per below screen cap:
I would like to ask you, how do I deal with security cameras and printers with static AP addresses? In the above, CPPM is a dhcp helper on the switch and it is able to profile the OS family and Category, How can I achieve this on a statically assigned IP devices?
07-28-2015 05:19 AM
07-28-2015 10:36 AM
set protocols dot1x authenticator interface <INTERFACE-NAME> mac-radius
In ClearPass add a rule under your Policy enforcement that if the device hasn't been profiled then return a dead end VLAN that you allow the device to get profiled for a short period of time and then CoA the device
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
07-28-2015 10:43 AM
So far I tested with an aruba AP and it is working fine since ArubaAPs are requesting a dhcp. I will test today with a device that have a static address and see how it goes.
From your experience, if a device has a static IP would it still be profiled upon performing mac auth?