View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ArubaInstant and Clearpass

This thread has been viewed 4 times
  • 1.  ArubaInstant and Clearpass

    Posted May 22, 2016 10:54 PM


    We are trying to get get ArubaInstant to pass the device-type through to Clearpass.


    At the moment we have 802.1x authenticaiton working with Clearpass as the external radius server. The only thing we find out is how to get the ArubaInstant (IAP 225) to pass the Radius:Aruba:Aruba-Device-Type in the Radius request.


    Below is the top of the Radius Request. 




  • 2.  RE: ArubaInstant and Clearpass

    Posted May 22, 2016 10:56 PM
    You will likely not get the device type on Instant. You should leverage ClearPass profiling capabilities. 

  • 3.  RE: ArubaInstant and Clearpass

    Posted May 22, 2016 11:00 PM

    Any documentation on how to setup the profiling on Clearpass ? Essentially we just want to determine the device is either iOS or Android and do something based on that


  • 4.  RE: ArubaInstant and Clearpass

    Posted May 22, 2016 11:03 PM
    Simply add a DHCP helper address pointed to ClearPass and enable profiling in the server configuration. 

  • 5.  RE: ArubaInstant and Clearpass

    Posted May 22, 2016 11:42 PM

    Well that just blew up the instant ap. I had to ssh from another AP to the virtual controller and wipe that dhcp config.


    What we are trying to do is -

    - device connects to SECURE

    - based on the device type we want to push it to vlan 100 or vlan 101 (example only).


    The setup we have is a centralised DHCP server (see below)


    At the moment we have them all on vlan 100.


    Any other ideas on how we can achieve this ?



  • 6.  RE: ArubaInstant and Clearpass

    Posted Jun 02, 2016 03:52 PM

    802.1X is a layer 2 authentication method. DHCP Fingerprinting is a layer 3 task, DHCP collector will profile the device by looking into DHCP Discover, request packet.


    Before ClearPass profile the device, policy server would have assigned the policy, client would have got VLAN.


    To over come this, you could define a policy in such a way that. When device connect to 802.1x SSID first time and authenticate succesfully(client will get an IP address and it will be profiled), bounce its interface and force client to reauthenticate.


    Next time time when he connect to Secure SSID(attached enforcement policy as an example), he will get a appropreate VLAN based on device type and policy configured. (ClearPass would have collected device information when client got connected first time)



    You better contact Aruba ClearPass system engineer to design policy based on your requirement.