Security

Hi all,

I having issue's with using an IP helper-address to profile devices. 

We are using Dell S4248-ON (core) and Dell N2048 (Access) switches.
The core switch already has two IP helper-addresses configured, one for the primary Windows DHCP-server, and another one for the secondary Windows DHCP-server.

Once we add a third IP helper-address pointing to our ClearPass Publisher Server, clients will no longer receive a (new) DHCP lease (ipconfig /renew will time out). Once we configure a random server to be the third 'ip helper-address', the clients receives a new lease again.. ClearPass is not suppose to answer to a DHCP request right? 

My question: It seems that the problem lays at ClearPass and not at the switch configuration; Do we need additional configuration at ClearPass in order to get device profiling to work? 

Thanks in advance!

------------------------------
Lex
------------------------------

ClearPass will consume and then discard the DHCP messages, it NEVER replies to them. 

CPPM will look for DHCP Options 55 & 60 {VCI} from the DISCOVER message and DHCPREQUEST, these are used specifically for the fingerprinting process.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Jun 03, 2021 08:38 AM
From: Lex Krijnen
Subject: ClearPass Device Profiler - IP Helper address

Hi all,

I having issue's with using an IP helper-address to profile devices. 

We are using Dell S4248-ON (core) and Dell N2048 (Access) switches.
The core switch already has two IP helper-addresses configured, one for the primary Windows DHCP-server, and another one for the secondary Windows DHCP-server.

Once we add a third IP helper-address pointing to our ClearPass Publisher Server, clients will no longer receive a (new) DHCP lease (ipconfig /renew will time out). Once we configure a random server to be the third 'ip helper-address', the clients receives a new lease again.. ClearPass is not suppose to answer to a DHCP request right? 

My question: It seems that the problem lays at ClearPass and not at the switch configuration; Do we need additional configuration at ClearPass in order to get device profiling to work? 

Thanks in advance!

------------------------------
Lex
------------------------------

Hi Danny,

Thanks for your clarification on the DHCP collector(s), that makes sense. 
Do you have any idea on what is going wrong? Do I need additional configuration at the ClearPass side to resolve this issue / get device profiling to work?

------------------------------
Lex
------------------------------

Original Message:
Sent: Jun 03, 2021 11:39 AM
From: Danny Jump
Subject: ClearPass Device Profiler - IP Helper address

ClearPass will consume and then discard the DHCP messages, it NEVER replies to them. 

CPPM will look for DHCP Options 55 & 60 {VCI} from the DISCOVER message and DHCPREQUEST, these are used specifically for the fingerprinting process.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jun 03, 2021 08:38 AM
From: Lex Krijnen
Subject: ClearPass Device Profiler - IP Helper address

Hi all,

I having issue's with using an IP helper-address to profile devices. 

We are using Dell S4248-ON (core) and Dell N2048 (Access) switches.
The core switch already has two IP helper-addresses configured, one for the primary Windows DHCP-server, and another one for the secondary Windows DHCP-server.

Once we add a third IP helper-address pointing to our ClearPass Publisher Server, clients will no longer receive a (new) DHCP lease (ipconfig /renew will time out). Once we configure a random server to be the third 'ip helper-address', the clients receives a new lease again.. ClearPass is not suppose to answer to a DHCP request right? 

My question: It seems that the problem lays at ClearPass and not at the switch configuration; Do we need additional configuration at ClearPass in order to get device profiling to work? 

Thanks in advance!

------------------------------
Lex
------------------------------

As Danny mentioned, ClearPass is completely passive from a switch perspective. Most switches will send relay the DHCP requests to all of your configured helpers/relays, and ClearPass will discard, the other servers (hopefully) will respond. One thing I may think of could be that the ip helper on the switch is 'too intelligent' and forwards the DHCP to only one of the configured IPs, which if it selects the ClearPass will result in a timeout.

The issue lies most probably in the switch. I would check if you see the DHCP requests arriving at the actual DHCP server, and if that server responds. From there find out where the issue is, and as mentioned it is really unlikely that the ClearPass has anything to do with this.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 04, 2021 03:38 AM
From: Lex Krijnen
Subject: ClearPass Device Profiler - IP Helper address

Hi Danny,

Thanks for your clarification on the DHCP collector(s), that makes sense. 
Do you have any idea on what is going wrong? Do I need additional configuration at the ClearPass side to resolve this issue / get device profiling to work?

------------------------------
Lex

Original Message:
Sent: Jun 03, 2021 11:39 AM
From: Danny Jump
Subject: ClearPass Device Profiler - IP Helper address

ClearPass will consume and then discard the DHCP messages, it NEVER replies to them. 

CPPM will look for DHCP Options 55 & 60 {VCI} from the DISCOVER message and DHCPREQUEST, these are used specifically for the fingerprinting process.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Jun 03, 2021 08:38 AM
From: Lex Krijnen
Subject: ClearPass Device Profiler - IP Helper address

Hi all,

I having issue's with using an IP helper-address to profile devices. 

We are using Dell S4248-ON (core) and Dell N2048 (Access) switches.
The core switch already has two IP helper-addresses configured, one for the primary Windows DHCP-server, and another one for the secondary Windows DHCP-server.

Once we add a third IP helper-address pointing to our ClearPass Publisher Server, clients will no longer receive a (new) DHCP lease (ipconfig /renew will time out). Once we configure a random server to be the third 'ip helper-address', the clients receives a new lease again.. ClearPass is not suppose to answer to a DHCP request right? 

My question: It seems that the problem lays at ClearPass and not at the switch configuration; Do we need additional configuration at ClearPass in order to get device profiling to work? 

Thanks in advance!

------------------------------
Lex
------------------------------