Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎09-24-2014

Some endpoints not getting profiled for some reason?

We have some endpoints that aren't getting profiled for some reason and I can't figure out why. My VOIP guy is plugging in new out of the box Cisco phones and they aren't getting profiled. Even though we already have hundreds of this exact same phone model and OS on the network. Why is it randomly not profiling these phones? 

 

We're on 6.6.0.81015. Cisco switches are 4507 running  03.06.04.E. Under Endpoint Profiler, I currently show 636 of these model phones that I'm having issues with. 

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: Some endpoints not getting profiled for some reason?

Are you using a second ip helper-address so send a copy of the DHCP traffic to clearpass?  That is the only way they would be profiled..

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Some endpoints not getting profiled for some reason?

Are those devices getting an IP address and if yes then are you using ClearPass as a DHCP relay under the VOIP layer 3 VLAN so that ClearPass can receive the profile information?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 9
Registered: ‎09-24-2014

Re: Some endpoints not getting profiled for some reason?

Yes there is an ip-helper address. It's obviously working by the fact that I already have 636 of these exact phones succefully authorized. 

We have three helper addresses on our SVI, two are the DHCP servers and the third is the ClearPass server

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Some endpoints not getting profiled for some reason?

Are you using the profile information to allow access ? If yes then you need either allow the phone to connect to a port that doesn't have authentication enabled so it can get an IP address or enable the profiler to the service
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-with-802-1x-and-endpoint-profiling-of-ip-phones-Aruba/td-p/232092


Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 9
Registered: ‎09-24-2014

Re: Some endpoints not getting profiled for some reason?

[ Edited ]

For the service that it is hitting, I do not have "Profile Endpoints" checked and it is using the Endpoint Repository as the authentication source. 

 

Edit: the consultant who helped me set this up advised against checking the box for "profile endpoints". I'm not sure why he suggested that, but are you saying I should enable it on this service?

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: Some endpoints not getting profiled for some reason?

Profiling should be independent of a service.  You should search for those devices in the endpoint database.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Some endpoints not getting profiled for some reason?

Adding the Profiler on your service allows you to dynamically profile devices .

You can place the device in a transition VLAN (Just to get DHCP and get profiled by ClearPass) and also make sure to send a CoA during that process so that way the device will be force to reauth and on the second auth ClearPass will have the Profiling information and then you should be able to use that information to provide access in your enforcement policy
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: