Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Configuration for Profiling in ClearPass

This thread has been viewed 15 times
  • 1.  Configuration for Profiling in ClearPass

    MVP
    Posted May 03, 2022 03:08 AM
    We have several Aruba 2540 switches, and created several VLANs on the switch. We have a management VLAN, and created an IP address on this VLAN.
    We´ve added the switch with this IP address in ClearPass. 
    For profiling newly devices are placed in our guest VLAN. I´ve added ClearPass as an ip helper-address on the switch. Profiling isn't working and I can´t see any traffic on the firewall.

    If I configure an IP in the guest VLAN I can see the UDP67 packet on the firewall, but the packet uses the default GW from mgmt-vlan but used the interface IP from the guest and send it over the management VLAN. It is blocked on the FW with "Reverse routing mismatch", because this IP is not expected on this VLAN. Profiling is still not working

    If I change the configuration and use the guest vlan as source-interface for radius, and change the default GW and configure the switch with this IP  as network device in ClearPass the profiling works fine.

    Is there any solution to get profiling working without configuring an IP within the guest VLAN. We would like to separate the Mgmt IP from our Guest Network


    ------------------------------
    Matthias Pohl
    ------------------------------


  • 2.  RE: Configuration for Profiling in ClearPass

    EMPLOYEE
    Posted May 03, 2022 07:52 PM
    i think ip-helper command should be configured on the device that has an IP address on the VLAN you want this functionality.
    so if your switch does no thave an IP address on guest VLAN, then the device most likely the default gateway can have an ip-helper pointing to clearpass.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Configuration for Profiling in ClearPass

    MVP
    Posted May 04, 2022 05:44 AM
    I tried this.
    I´ve configured the ip helper-address on vlan250 (mgmt vlan). On this VLAN the mgmt ip is configured.
    The client is placed in the guest vlan98. This is the enforcement profile.

    I would expect that the switch sends a dhcp paket to clearpass for profiling, regardless in which vlan the client is?

    ------------------------------
    Matthias Pohl
    ------------------------------



  • 4.  RE: Configuration for Profiling in ClearPass

    EMPLOYEE
    Posted May 04, 2022 08:41 PM
    no it does not work that way. the ip-helper is configured in the VLAN context. so if you are enabling iphelper on an AOS-S switch like 2930, then the switch needs a vlan configured with IP address for that subnet. as an example here we have VLAN10 with ip addr of 10.10.10.1/24 and it will send dhcp request to 192.168.1.130 only when it receives this request on VLAN 10.

    vlan 10
      name "Lab"
      untagged 4,9
      tagged 2-3,7
      ip address 10.10.10.1 255.255.255.0
      ip helper-address 192.168.1.130



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------