Security

Okay i set the DHCP server on my L3 switch

Which has the DHCP server and also it has the Clearpass policy manager as another entry just like the tech note said to do it.

http://d1x3hnhct7p62q.cloudfront.net/SupportSite/ProductionFiles/5b2e82c2-de73-4151-be12-2cbed524db8e/ClearPassProfileTechNote.pdf?Expires=1396131894&Signature=V6WsM~F4X8UkKIce4x13aJpRGwBDlgC8CmRsPyMNJUsq0jVV~iU8GSAtdTl0JKePDBkIn72Eh2Y7ZCGlLCkVCedCwWS9cYyfsKHaEe5w2GpvJe8ebPvxeGQuTYpX3UObkYzCVQcIOkzVfPBH4mFTRbX2sL4D~Yt2ThT1yuYoYzYVGowFlKSIdEshdWv~uYI6M5OOcleuFb4--rlmbKzuiSRqZaS--FQstktvd5EVvdYI5MErJ2XMHajPYANOvK4T2NuRbioEd4kMc4EbSgcBmFlAgdr3WIaejjHNbwdlB1u~jrNbRMBG-bZ0nEmQkgoudRMKULoGBhfaHoLi~3T9qg__&Key-Pair-Id=APKAJCOCR7KIA7QV5SEQ

The Enable this server for endpoint classification is on

The only thing i cannot find to do its the adding the license of the profiler as its not listed.. as this tech note is for clearpass 5 guess  maybe it does not apply this part to clearpass 6.3...

I dont see any entry being updated  the clearpass just saw it long time ago when i was testing the clearpass guest feature... but now i want it to work with the DHCP doesnt seems to work... he has not see any new entry neither update their entires...

Im here trying with my laptop doing ipconfig /release

ipconfig /renew to force make it ask for the Ip address and doesnt seems to work...

Any hint or advice on this??

Cheers

Carlos

Profiler is included in 6.x, no extra license.

I've never done DHCP on a switch before, but are you sure it is forwarding the requests to ClearPass? If the DHCP server is in the same segment, it might not relay? 

Can you span the uplink and run a packet capture?

Also, ClearPass only profiles on a DHCP discover. So if you already have an address, release/renew will not work.

Hello Tim!

Ill delete the ip of the DHCP server... and ill try again.

Well i did what the tech note says

It tells you how to do it on a cisco layer 3 switch

What i did was doing it on an alcatel switch instead but its the same...

i did this

interface
<VLAN
_NAME
>
ip ad
dress
<IP_ADDR> <NETMASK>
ip helper
-
address
<DHCP SERVER IP>
ip helper
-
address
<CPPM IP>
end

 On the alcatel switch...

The ip helper which is the dhcp server address was already on the switch as we need it to send dhcp address to the machines on different vlans... so the only thing i did was adding another dhcp server which is the clearpass.

And yes the DHCP server is on the same segment as the clearpass

Why it wont  forward it?

I though that the request reached the swtich core and the switch core just send the request to both ip helper address i had...

Cheers

Carlos

OK, but is the DHCP server upstream or running on the switch itself?

Can you try a fresh device that doesn't have a lease?

it is a windows 2012 DHCP server...

Cheers

Carlos

i went to the DHCP server

Deleted the entry of my smartphone

reconnect again and it took another ip addresss

The profiler didnt updated it...

Last time updated was on march 19 when i was using clearpass guest  :(

my swtich seems to be sending the DHCP request

ALT-CORE-> show ip helper stats

 Global Statistics :
    Reception From Client :
      Total Count =      63706, Delta =          0,
    Forw Delay Violation :
      Total Count =          0, Delta =          0,
    Max Hops Violation :
      Total Count =          0, Delta =          0,
    Agent Info Violation :
      Total Count =          0, Delta =          0,
    Invalid Gateway IP :
      Total Count =          0, Delta =          0,
    Invalid Agent Info From Server :
      Total Count =          0, Delta =          0,
 Server Specific Statistics :
    Server  172.16.3.30     
        Tx Server :
          Total Count =      62320, Delta =          0
    Server  172.16.3.223    
        Tx Server :
          Total Count =        137, Delta =          0

ALT-CORE-> show ip helper stats

 Global Statistics :
    Reception From Client :
      Total Count =      63708, Delta =          2,
    Forw Delay Violation :
      Total Count =          0, Delta =          0,
    Max Hops Violation :
      Total Count =          0, Delta =          0,
    Agent Info Violation :
      Total Count =          0, Delta =          0,
    Invalid Gateway IP :
      Total Count =          0, Delta =          0,
    Invalid Agent Info From Server :
      Total Count =          0, Delta =          0,
 Server Specific Statistics :
    Server  172.16.3.30     
        Tx Server :
          Total Count =      62322, Delta =          2
    Server  172.16.3.223    
        Tx Server :
          Total Count =        139, Delta =          2

ALT-CORE-> 

 As you see the counters are increasing on both Servers... the .30 which is the DHCP server and the .223 which is the clearpass server.

There is no firewall or anything blocking bettween them.

Cheers

Carlos

On the clearpass logs with the capture packet the dhcp packets are reaching the clearpass so its not that they are not reaching them...

I feel bad for asking, but I still have to. You do have profiler enabled. :)

Also you can enable span port and see if we are getting the packets. 

Just as a precaution go in the CLI and run.....   service restart all

One other option to see if profiller is working is to do a snmp read of the switch and see if we pull arp data out of it. 

Hello Troy

On my first message i said that i had the profiler on :)  its on by default... or at least i didnt turn it on it was already on.

I dont have the dhcp span port enable, as on the technote it didnt say anything of that...

Ill enable it and restart all the services..

The profiler is working as i see that i got a captive portal on the clearpass for our guest visitors in our company :) and i can see that the last time for example my windows phone was updated

look

But i wansted it to work with the DHCP option... as the one is easier to configure.  

I bealive it should work but something silly its happening or somethign silly im doing that is not working :(

Cheers

Carlos

Troy which method do you use  when we are not using onboarding which it will get the information form it or when you are not using on guard and you are not getting the information from the agent?

I though that DHCP could be the best way to go but now i encounter this :P

Cheers

Carlos

i also did some packet capture which show you

As you see the packet of the dhcp is reaching the clearpass... and the ip address requested is reaching the clearpass

well i turned the dhcp span port i restarted all the services and i still that entry is not updated on the clearpass... :(

Troy i did more test

I took a new computer that never used and i see the entry on the clearpass which was with the dhcp which is good

I took another Windows laptop but this time  this computer was registered by the profiler a while ago with the:

Host User Agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0

 It had that entry when i was using the clearpass guest so tahts why it was suing the host user agent. and clasified as "windows" alone

Now i turn it again and im not using clearpass guest... i just connected to the bussiness network, it says it updated it just now... but it keep clasiffiing it as "windows" when its should classified it as "windows 7" just like my other laptop i turned on.

I see this entry

Shouldnt it update it as windows 7 ? yeah it says it was updated just now but it just tellin gme that is a windows machine not a windows 7 manchine

Should be like this?

As an aside note my windows phone still have not yet updated on the profiler  his last update was still a while ago even if im connecting right now...

So well im confused if it working or not

Seems to be partially working for me...

Cheers

Carlos

Well i jsut saw and it seems that took a bit but after restarting the services now i see that the windows phone finally reported!!

Thanks troy :)

Sorry for flooding your email with all my messages...

But well it seems to work now but just wondering why my windows laptop wont update to windows 7 and it stay on windows alone?

And it also keep telling me that the method that it used was host user agent as well with my windows phone it says the same.

Cheers

Carlos

Carlos,

You should configure IF-MAP on the controller pointing to ClearPass to get all of the information by looking at this:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/CPPM-ifmap.htm

Sometimes DHCP fingerprinting only gets you so much information.  The browser agent information is not transferred in the fingerprint.  It looks like it could only tell that it is a Windows computer from the fingerprint.  If you configured if-map, the browser agent information would be transferred to CPPM without the fingerprint.  Configure IF-MAP, delete the endpoint and see if works.  

If you open a browser and hit the clearpass guest page, ClearPass can add the browser agent information without ClearPass.  If you open a browser, but do not hit the ClearPass guest page, Clearpass will not have the browser agent information without IF-MAP being configured...

Hello Collin

Does this feature is just available on 6.4 ?

because im on 6.3 lastest patch and doesnt seems to work :(

(Office_Alternetworks) (config) #ifmap
                                 ^
% Invalid input detected at '^' marker.

Cheers

Carlos

It should be in ArubaOS 6.3:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/CPPM-ifmap.htm  It should work....

See if you can find it in the GUI under "all profiles":

Well it doesnt work on the cli

I don tsee it on the GUI neither...

Unless is not suppported on 620 controllers? but it doesnt say anything about that or at least i don tsee it.

(Office_Alternetworks) (config) #ifmap
                                 ^
% Invalid input detected at '^' marker.

(Office_Alternetworks) (config) #show version 
Aruba Operating System Software.
ArubaOS (MODEL: Aruba620), Version 6.3.1.4
Website: http://www.arubanetworks.com
Copyright (c) 2002-2014, Aruba Networks, Inc.
Compiled on 2014-03-18 at 14:59:06 PDT (build 42768) by p4build

ROM: System Bootstrap, Version CPBoot 1.0.0.0 (build 23274) 
Built: 2010-01-19 11:11:41
Built by: p4build@re_client_23274


Switch uptime is 23 hours 52 minutes 1 seconds
Reboot Cause: User reboot.
Supervisor Card
Processor XLS 204 (revision A1) with 928M bytes of memory. 
32K bytes of non-volatile configuration memory.
256M bytes of Supervisor Card System flash (model=NAND 256MB)

Well this is odd...

Cheers

Carlos

Well i just found it

ftp://ftp.afina.es/Aruba/Aruba_OS/UPGRADE_3000_6.3.1.1-ArubaOS/ArubaOS%206.3.1.1%20RN.pdf

The ifmap is not supported on 6xx  like many other features :P now im starting to hate 620s :)