Security

Reply
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Clearpass profiling based enforcement

 Hi

 

I have created enforcement vlan profiles for wireless 802.1x ssid  based on user device make- sony/lg/samsung etc.

but it doesnt work  at first instant , it gives error as cant get information for category.. I guess that means devices is not profiled..

once i connect this client on other onboarding ssid it gets profiled and then on first ssid the device gets proper profile..

 

What is the proper  procedure to achieve profiling ??

 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Clearpass profiling based enforcement

Profiling occurs after a device obtains a DHCP address.  802.1x authentication occurs before DHCP.  If a device has never done DHCP, it would not be profiled or in the endpoint database, so the first time it connects via 802.1x, we do not know what type of device it is...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass profiling based enforcement

If you have RADIUS accounting enabled, you can do a delayed session timeout, but the user experience isn't great.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass profiling based enforcement

Hi Colin,

 

so what will be the proper ( acceptable by customer  :smileywink: ) way to address it ? 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Clearpass profiling based enforcement

What are you trying to do?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass profiling based enforcement

 

basically if a user comes and connects to 802.1x ssid with android device it should get vlan x

user comes with iOS it should get vlan y

both users are new to the network connecting very first time

in this case these devices are not profiled hence they will never get profiled and connected 

what modification is required to first allow the non-profiled device>> something like bounce the device connection>> while reconnecting apply proper profile

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Clearpass profiling based enforcement

Let's take a few steps back:

 

Why does the customer want Android and IOS devices in different VLANs?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass profiling based enforcement

:smileysurprised:  It was just an example ....actually the requirement is 

computer >> Vlan x

Smartphone >> vlan y

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Clearpass profiling based enforcement

If it is a domain computer, you can use clearpass rules to detect that and return an enforcement profile http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/td-p/58918/highlight/true/page/2   Any other devices simply get the "other" enforcement profile which will put them into the second VLAN.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass profiling based enforcement

ok but that will partailly solve the problem..

and I forgot to mention that one more requirement is to block devices which are other than samsung/apple  fopr which profiling is must

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: