Security

Reply

Clearpass profiler doesnt seems to be working...

Okay i set the DHCP server on my L3 switch

Which has the DHCP server and also it has the Clearpass policy manager as another entry just like the tech note said to do it.

http://d1x3hnhct7p62q.cloudfront.net/SupportSite/ProductionFiles/5b2e82c2-de73-4151-be12-2cbed524db8e/ClearPassProfileTechNote.pdf?Expires=1396131894&Signature=V6WsM~F4X8UkKIce4x13aJpRGwBDlgC8CmRsPyMNJUsq0jVV~iU8GSAtdTl0JKePDBkIn72Eh2Y7ZCGlLCkVCedCwW...

 

The Enable this server for endpoint classification is on

 

The only thing i cannot find to do its the adding the license of the profiler as its not listed.. as this tech note is for clearpass 5 guess  maybe it does not apply this part to clearpass 6.3...

 

I dont see any entry being updated  the clearpass just saw it long time ago when i was testing the clearpass guest feature... but now i want it to work with the DHCP doesnt seems to work... he has not see any new entry neither update their entires...

 

Im here trying with my laptop doing ipconfig /release

ipconfig /renew to force make it ask for the Ip address and doesnt seems to work...

 

Any hint or advice on this??

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: Clearpass profiler doesnt seems to be working...

Profiler is included in 6.x, no extra license.

 

I've never done DHCP on a switch before, but are you sure it is forwarding the requests to ClearPass? If the DHCP server is in the same segment, it might not relay? 

 

Can you span the uplink and run a packet capture?

 

Also, ClearPass only profiles on a DHCP discover. So if you already have an address, release/renew will not work.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass profiler doesnt seems to be working...

Hello Tim!

Ill delete the ip of the DHCP server... and ill try again.

 

Well i did what the tech note says

It tells you how to do it on a cisco layer 3 switch

What i did was doing it on an alcatel switch instead but its the same...

i did this

interface
<VLAN
_NAME
>
ip ad
dress
<IP_ADDR> <NETMASK>
ip helper
-
address
<DHCP SERVER IP>
ip helper
-
address
<CPPM IP>
end

 On the alcatel switch...

The ip helper which is the dhcp server address was already on the switch as we need it to send dhcp address to the machines on different vlans... so the only thing i did was adding another dhcp server which is the clearpass.

 

And yes the DHCP server is on the same segment as the clearpass

Why it wont  forward it?

I though that the request reached the swtich core and the switch core just send the request to both ip helper address i had...

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: Clearpass profiler doesnt seems to be working...

OK, but is the DHCP server upstream or running on the switch itself?

 

Can you try a fresh device that doesn't have a lease?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass profiler doesnt seems to be working...

it is a windows 2012 DHCP server...

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: Clearpass profiler doesnt seems to be working...

i went to the DHCP server

Deleted the entry of my smartphone

 

reconnect again and it took another ip addresss

 

The profiler didnt updated it...

Last time updated was on march 19 when i was using clearpass guest  :(

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: Clearpass profiler doesnt seems to be working...

my swtich seems to be sending the DHCP request

 

ALT-CORE-> show ip helper stats

 Global Statistics :
    Reception From Client :
      Total Count =      63706, Delta =          0,
    Forw Delay Violation :
      Total Count =          0, Delta =          0,
    Max Hops Violation :
      Total Count =          0, Delta =          0,
    Agent Info Violation :
      Total Count =          0, Delta =          0,
    Invalid Gateway IP :
      Total Count =          0, Delta =          0,
    Invalid Agent Info From Server :
      Total Count =          0, Delta =          0,
 Server Specific Statistics :
    Server  172.16.3.30     
        Tx Server :
          Total Count =      62320, Delta =          0
    Server  172.16.3.223    
        Tx Server :
          Total Count =        137, Delta =          0

ALT-CORE-> show ip helper stats

 Global Statistics :
    Reception From Client :
      Total Count =      63708, Delta =          2,
    Forw Delay Violation :
      Total Count =          0, Delta =          0,
    Max Hops Violation :
      Total Count =          0, Delta =          0,
    Agent Info Violation :
      Total Count =          0, Delta =          0,
    Invalid Gateway IP :
      Total Count =          0, Delta =          0,
    Invalid Agent Info From Server :
      Total Count =          0, Delta =          0,
 Server Specific Statistics :
    Server  172.16.3.30     
        Tx Server :
          Total Count =      62322, Delta =          2
    Server  172.16.3.223    
        Tx Server :
          Total Count =        139, Delta =          2

ALT-CORE-> 

 As you see the counters are increasing on both Servers... the .30 which is the DHCP server and the .223 which is the clearpass server.

 

There is no firewall or anything blocking bettween them.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: Clearpass profiler doesnt seems to be working...

On the clearpass logs with the capture packet the dhcp packets are reaching the clearpass so its not that they are not reaching them...

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba

Re: Clearpass profiler doesnt seems to be working...

I feel bad for asking, but I still have to. You do have profiler enabled. :)

 

Also you can enable span port and see if we are getting the packets. 

 

Just as a precaution go in the CLI and run.....   service restart all

 

profilerpic.png

 

 

 

One other option to see if profiller is working is to do a snmp read of the switch and see if we pull arp data out of it. 

 

snmpread.png

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: Clearpass profiler doesnt seems to be working...

Hello Troy

On my first message i said that i had the profiler on :)  its on by default... or at least i didnt turn it on it was already on.

 

I dont have the dhcp span port enable, as on the technote it didnt say anything of that...

 

Ill enable it and restart all the services..

 

The profiler is working as i see that i got a captive portal on the clearpass for our guest visitors in our company :) and i can see that the last time for example my windows phone was updated

look

profiler.PNG

 

But i wansted it to work with the DHCP option... as the one is easier to configure.  

I bealive it should work but something silly its happening or somethign silly im doing that is not working :(

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: