Security

Hi,

 

We are using ClearPass 6.8.0.

Under "Endpoints" I don't see a lot of information, so I tried to enable the profiling. But I seems that the checkbox "Enable Profile" under Administration --> Server Manager --> Server Configuraiton--> System was removed. Is there a new way to activate this feature?

 

What do I further have to do to get more device information?

Do I also have to enable a DHCP helper on our WIFI Controller to forward DHCP Traffic to CPPM as descriped here to get it working:

 

https://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/PolicyProfile/Collectors.htm

 

Currently we do not configure any DHCP on the wifi controller.

We have a lot of VLANs which are terminated at our distribution router, there we have the DHCP helpers. I am not sure what happend, when I configure a helper on the wifi controller which points to the CPPM. Does all the DHCP traffic then goes to CPPM? I think than our clients would not get IPs any more, right?

 

 

You need to add CPPM as an ip helper on all your user subnets in order to get fingerprinting. If you have a VIP, just add the VIP. You only need to add the profiler on your subscriber if you have a pub/sub/x environment. The subscriber will forward the information to the publisher.

 

CPPM will not act on the DHCP discover, it just will just use it for fingerprinting and then discard it. You need to add it in addition to your other IP helpers which will go to your DHCP server(s)

Thanks for your reply!

 

So, I have to configure two DHCP helpers for each VLAN:

- First helper points to CPPM

- Second helper points to the real DHCP Server

right?

 

So I also have to creat an interface on each vlan, right?

At the moment we don't have any interfaces configured on our md's except the management interface.

 

Does it have any speed impact for the whole authentication process, because I think there is no response from the CPPM on the DHCP discover and then the whole DHCP process starts again with the real DHCP...

 

 

You will put the additional helper on wherever you have your L3 interfaces, same as your DHCP helper. Generally the L3 interfaces will be on an upstream device when using a cluster, but it depends on your environment and version. It sounds like you're on 8.x, so if you have your user VLAN interfaces on the upstream routers, then just add your clearpass IP as an additional helper on those user SVIs.

 

"Does it have any speed impact for the whole authentication process, because I think there is no response from the CPPM on the DHCP discover and then the whole DHCP process starts again with the real DHCP..."

 

I haven't seen that in my environment (multiple MDs, 2x 25K CPPM appliances w/ Cisco N7K upstream. DHCP takes around 7 seconds for me whether or not I have CPPM added for fingerprinting. I would love to reduce this but haven't figured out if that's possible.

OK, Thanks.

 

CPPM have to stay on first position in the DHCP helper list in the router, right?

 

Regarding the mising profile checkbox on CPPM, is it enabled by default at the 6.8.0 version?

Doesn't have to be. I have it as the third helper in my environment.

 

Regarding the defaults, I don't know. I am not running that version.

The setting moved into the Master Server in Zone setting:

In the older versions before 6.7, you could turn it on or off, where on meant an automatic selection of the Profiler master, now you can put the profiling master to a specific (less occupied) ClearPass node in your cluster zone. Note that all nodes in the cluster can receive the DHCP requests from IP helpers, the non-master will just forward it to the master to be processed.

 

Please note that you also need to have an active Access License on ClearPass to have Profiling enabled.

 

Do you see the DHCP requests reaching your ClearPass server?

Hello, I know this is from a while back but I have a question about the license.
You say you need an active Access license to profile.  Do you need an Access license for each device it finds and profiles or just one license to enable to feature?

------------------------------
Quinton Williams
------------------------------

Original Message:
Sent: Oct 11, 2019 04:43 AM
From: Herman Robers
Subject: Clearpass Profiling with DHCP

The setting moved into the Master Server in Zone setting:

In the older versions before 6.7, you could turn it on or off, where on meant an automatic selection of the Profiler master, now you can put the profiling master to a specific (less occupied) ClearPass node in your cluster zone. Note that all nodes in the cluster can receive the DHCP requests from IP helpers, the non-master will just forward it to the master to be processed.

 

Please note that you also need to have an active Access License on ClearPass to have Profiling enabled.

 

Do you see the DHCP requests reaching your ClearPass server?

You will need access licenses just for the devices that concurrently connect to the network controlled by ClearPass.

With 1000 Access Licenses, there is no issue if you see 2500 devices profiled, as long as they do not connect all at the same time to an authenticated port (normal Access Licensing). Theoretically, you could use the lowest tier of Access Licenses, and profile all devices on your network as long as you don't authenticate them.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 19, 2021 05:43 PM
From: Quinton Williams
Subject: Clearpass Profiling with DHCP

Hello, I know this is from a while back but I have a question about the license.
You say you need an active Access license to profile.  Do you need an Access license for each device it finds and profiles or just one license to enable to feature?

------------------------------
Quinton Williams

Original Message:
Sent: Oct 11, 2019 04:43 AM
From: Herman Robers
Subject: Clearpass Profiling with DHCP

The setting moved into the Master Server in Zone setting:

In the older versions before 6.7, you could turn it on or off, where on meant an automatic selection of the Profiler master, now you can put the profiling master to a specific (less occupied) ClearPass node in your cluster zone. Note that all nodes in the cluster can receive the DHCP requests from IP helpers, the non-master will just forward it to the master to be processed.

 

Please note that you also need to have an active Access License on ClearPass to have Profiling enabled.

 

Do you see the DHCP requests reaching your ClearPass server?