Security

Reply
Contributor II
Posts: 67
Registered: ‎06-29-2014

smart device profiling

hi,

we have clearpass with aruba controller with dot1x authentication,

 

i want to profile my smart device , but it doesnt work, how can i do it? i have create role name is smart device, and role mapping if autho endpoint repo is equla to smart device give him smart device role

 

then of enforcment policy i said id endpoint is not equal profile => send dhcp only profile whic is inly send role on controller with any any service dhcp permit , and aruba termination profile, 

 

i have enabled check boxes to nable profiling 

 

please waiting your help

 

thanks

 

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: smart device profiling

You add your ClearPass as an DHCP relay on your Client VLAN at the Core or Distribution switch where the VLAN leaves
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: smart device profiling

i have added cppm and dhcp ip address as ip helper on each vlan interface on my controller,

should i add them also on same vlan on swicthes also?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: smart device profiling

Yes it needs to be upstream on the client's gateway interface.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: smart device profiling

As cappalli mentioned it is more efficient to do at the Core or Distribution switch where the SVI actually lives

 

To use the information receive by the ClearPass you need to do the following 

 

- First Add the endpoint database as Authorization Source to your service

.

- Then add the Category/OS Family as Roles/Attributes

2014-11-06 12_17_03-ClearPass Policy Manager - Aruba Networks.png

 

- And then you can use those in your enforcement policy to apply a certain enforcement profile

2014-11-06 13_23_41-ClearPass Policy Manager - Aruba Networks.png

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: smart device profiling

hi, i have tried the same configuration, but each time am getting an error getting catagory and os type from endpoint ,

 

do i have to create a specific role on initial role on controller?

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: smart device profiling

[ Edited ]

You can use the logon role as a profile role. As the first rule in your service, you can do Category NOT_EXISTS, return the logon role. Be sure the profiler is enabled in your service.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 67
Registered: ‎06-29-2014

Re: smart device profiling

do, i need to bounce the client again?

do i have to add another enforcment profile to update or bounce client?

 

thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: