Wired Intelligent Edge

We have several Aruba 2540 switches, and created several VLANs on the switch. We have a management VLAN, and created an IP address on this VLAN.
We´ve added the switch with this IP address in ClearPass. 
For profiling newly devices are placed in our guest VLAN. I´ve added ClearPass as an ip helper-address on the switch. Profiling isn't working and I can´t see any traffic on the firewall.

If I configure an IP in the guest VLAN I can see the UDP67 packet on the firewall, but the packet uses the default GW from mgmt-vlan but used the interface IP from the guest and send it over the management VLAN. It is blocked on the FW with "Reverse routing mismatch", because this IP is not expected on this VLAN. Profiling is still not working

If I change the configuration and use the guest vlan as source-interface for radius, and change the default GW and configure the switch with this IP  as network device in ClearPass the profiling works fine.

Is there any solution to get profiling working without configuring an IP within the guest VLAN. We would like to separate the Mgmt IP from our Guest Network


------------------------------
Matthias Pohl
------------------------------

i think ip-helper command should be configured on the device that has an IP address on the VLAN you want this functionality.
so if your switch does no thave an IP address on guest VLAN, then the device most likely the default gateway can have an ip-helper pointing to clearpass.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: May 03, 2022 03:08 AM
From: Matthias Pohl
Subject: Configuration for Profiling in ClearPass

We have several Aruba 2540 switches, and created several VLANs on the switch. We have a management VLAN, and created an IP address on this VLAN.
We´ve added the switch with this IP address in ClearPass. 
For profiling newly devices are placed in our guest VLAN. I´ve added ClearPass as an ip helper-address on the switch. Profiling isn't working and I can´t see any traffic on the firewall.

If I configure an IP in the guest VLAN I can see the UDP67 packet on the firewall, but the packet uses the default GW from mgmt-vlan but used the interface IP from the guest and send it over the management VLAN. It is blocked on the FW with "Reverse routing mismatch", because this IP is not expected on this VLAN. Profiling is still not working

If I change the configuration and use the guest vlan as source-interface for radius, and change the default GW and configure the switch with this IP  as network device in ClearPass the profiling works fine.

Is there any solution to get profiling working without configuring an IP within the guest VLAN. We would like to separate the Mgmt IP from our Guest Network


------------------------------
Matthias Pohl
------------------------------

I tried this.
I´ve configured the ip helper-address on vlan250 (mgmt vlan). On this VLAN the mgmt ip is configured.
The client is placed in the guest vlan98. This is the enforcement profile.

I would expect that the switch sends a dhcp paket to clearpass for profiling, regardless in which vlan the client is?

------------------------------
Matthias Pohl
------------------------------

Original Message:
Sent: May 03, 2022 07:51 PM
From: Ariya Parsamanesh
Subject: Configuration for Profiling in ClearPass

i think ip-helper command should be configured on the device that has an IP address on the VLAN you want this functionality.
so if your switch does no thave an IP address on guest VLAN, then the device most likely the default gateway can have an ip-helper pointing to clearpass.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: May 03, 2022 03:08 AM
From: Matthias Pohl
Subject: Configuration for Profiling in ClearPass

We have several Aruba 2540 switches, and created several VLANs on the switch. We have a management VLAN, and created an IP address on this VLAN.
We´ve added the switch with this IP address in ClearPass. 
For profiling newly devices are placed in our guest VLAN. I´ve added ClearPass as an ip helper-address on the switch. Profiling isn't working and I can´t see any traffic on the firewall.

If I configure an IP in the guest VLAN I can see the UDP67 packet on the firewall, but the packet uses the default GW from mgmt-vlan but used the interface IP from the guest and send it over the management VLAN. It is blocked on the FW with "Reverse routing mismatch", because this IP is not expected on this VLAN. Profiling is still not working

If I change the configuration and use the guest vlan as source-interface for radius, and change the default GW and configure the switch with this IP  as network device in ClearPass the profiling works fine.

Is there any solution to get profiling working without configuring an IP within the guest VLAN. We would like to separate the Mgmt IP from our Guest Network


------------------------------
Matthias Pohl
------------------------------

no it does not work that way. the ip-helper is configured in the VLAN context. so if you are enabling iphelper on an AOS-S switch like 2930, then the switch needs a vlan configured with IP address for that subnet. as an example here we have VLAN10 with ip addr of 10.10.10.1/24 and it will send dhcp request to 192.168.1.130 only when it receives this request on VLAN 10.

vlan 10
  name "Lab"
  untagged 4,9
  tagged 2-3,7
  ip address 10.10.10.1 255.255.255.0
  ip helper-address 192.168.1.130



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: May 04, 2022 05:43 AM
From: Matthias Pohl
Subject: Configuration for Profiling in ClearPass

I tried this.
I´ve configured the ip helper-address on vlan250 (mgmt vlan). On this VLAN the mgmt ip is configured.
The client is placed in the guest vlan98. This is the enforcement profile.

I would expect that the switch sends a dhcp paket to clearpass for profiling, regardless in which vlan the client is?

------------------------------
Matthias Pohl

Original Message:
Sent: May 03, 2022 07:51 PM
From: Ariya Parsamanesh
Subject: Configuration for Profiling in ClearPass

i think ip-helper command should be configured on the device that has an IP address on the VLAN you want this functionality.
so if your switch does no thave an IP address on guest VLAN, then the device most likely the default gateway can have an ip-helper pointing to clearpass.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: May 03, 2022 03:08 AM
From: Matthias Pohl
Subject: Configuration for Profiling in ClearPass

We have several Aruba 2540 switches, and created several VLANs on the switch. We have a management VLAN, and created an IP address on this VLAN.
We´ve added the switch with this IP address in ClearPass. 
For profiling newly devices are placed in our guest VLAN. I´ve added ClearPass as an ip helper-address on the switch. Profiling isn't working and I can´t see any traffic on the firewall.

If I configure an IP in the guest VLAN I can see the UDP67 packet on the firewall, but the packet uses the default GW from mgmt-vlan but used the interface IP from the guest and send it over the management VLAN. It is blocked on the FW with "Reverse routing mismatch", because this IP is not expected on this VLAN. Profiling is still not working

If I change the configuration and use the guest vlan as source-interface for radius, and change the default GW and configure the switch with this IP  as network device in ClearPass the profiling works fine.

Is there any solution to get profiling working without configuring an IP within the guest VLAN. We would like to separate the Mgmt IP from our Guest Network


------------------------------
Matthias Pohl
------------------------------