Security

Reply

Profiling Devices without CoA

Is CPPM capable of profiling devices authenticating to it without performing any CoA Action?  If I enable Profiler in a service, I have to select an Endpoint Classification and CoA Action.  Policy Manager is adding endpoints to the repository, but it isn't profiling them in any way.  If I just want some basic profiling to take place, such as type of device, host name, OS, etc to be gathered.  what do I need to configure?

 

Edit:

 

After reading the UG again, it seems as though CPPM should at least be classying these devices based off the MAC that it's receiving in the 802.1X request.  That's not working, though.  I'm going to setup some ip helpers to forward DHCP traffic to CPPM and see if that helps any.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba

Re: Profiling Devices without CoA

What classification collector are you looking to enable?    There is DHCP, ClearPass Onboard, HTTP User-Agent, MAC OUI, ActiveSync, OnGuard, SNMP, and Subnet Scanner.    The support site has a TechNote that may help you (it is for version 5.x, but I think the same principals apply):   http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=8389

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Profiling Devices without CoA

Thanks for the doc, Clembo.

 

I'll setup the DHCP relay and see what happens.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: Profiling Devices without CoA

I've setup DHCP relays on my wired and wireless client subnets.  Also, I created Zones for my PM servers and setup subnet scans for each PM zone.  The subnet scans are scanning printer and VoIP ranges. The DHCP relay and subnet scans have been setup for several days.

 

So far, PM has only discovered 45 endpoints.  There should be at least a couple hundered devices found via subnet scans.  There should be several hundered devices discovered via DHCP as well.  I've double checked my helper addresses, subnet scans, and PM zones and they're all setup correctly.  The subnet scan interval is 24 hours.

 

My PM cluster isn't in production per say; I only have 3 devices that are authenticating via PM as my initial test.  I mention that because I thought maybe PM will only profile devices that are authenticating via PM, but that can't be true since I see 45 devices profiled that are not yet using PM for authentication.

 

Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Profiling Devices without CoA

What kind of layer3 switches/routers do you have in your environment?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Profiling Devices without CoA

Cisco 6500s.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Profiling Devices without CoA

Can devices ping cppm from their subnet? 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Profiling Devices without CoA

Yes.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Profiling Devices without CoA

Under Administration> Server Manager>Server Configuration>Services control, please make sure that Async Network Services is Running.

 

If it is running, go to Administration> Server Manager>  Log Configuration> Service Log Configuration.  Change the service to Async Network Services.  Change the log level to debug and save.  Wait for a few and then send the logs to TAC.

 

EDIT:  Last but not least, ensure that under Administration> Server Manager> Server Configuration> System.  Make sure that "Enable to allow this server to perform endpoint classification" is checked.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Profiling Devices without CoA

Will do, thanks.

Is there anyway to schedule the subnet scan or force it to run?
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: