Security

I am looking to see if there is some best practice configuration within ClearPass for device profiling?  I have a global ClearPass deployment with multiple subscribers in different zones based on geographic area.  

It is my understanding that only one server within the cluster is doing the device profiling, is it always the publisher or can the subscriber be the profiler?  When each subscriber in the various geographic locations are in different zones, is one ClearPass server doing the profiling per zone?

When configuring the IP helper address at the various sites globally, is it recommended to set each site to point to the local subscriber as the IP helper for DHCP profiling?  Or should they all point to the one publisher for the cluster.

Any help is greatly appreciated.

The answer is in the ClearPass Profiling Technote:
If profiling is enabled on multiple nodes within a zone, they will form a cluster which provides redundancy and load balancing. The nodewith lowest UUID assumes an active role. All other nodes proxy endpoint attributes to active profiler. Active profiler periodically sends heartbeats to peers. If active node goes down, heartbeats will be lost and next peer with lowest UUID assumes master role.When failed node comes back, it will start sending heartbeats and assumes master role. If any peer has assumed master role, it will change to passive role on receiving heartbeats from original master.

This is about the profiling process itself. The classifications are sent back to the publisher, updated in the endpoint database and then synced-back to each of the subscribers. That means that profiling data will be available on all ClearPass nodes, regardless the zone.

You can find all ClearPass Technotes here.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 14, 2022 11:17 PM
From: Cheryl Hanna
Subject: ClearPass Device profiling best practice with zones

I am looking to see if there is some best practice configuration within ClearPass for device profiling?  I have a global ClearPass deployment with multiple subscribers in different zones based on geographic area.

It is my understanding that only one server within the cluster is doing the device profiling, is it always the publisher or can the subscriber be the profiler?  When each subscriber in the various geographic locations are in different zones, is one ClearPass server doing the profiling per zone?

When configuring the IP helper address at the various sites globally, is it recommended to set each site to point to the local subscriber as the IP helper for DHCP profiling?  Or should they all point to the one publisher for the cluster.

Any help is greatly appreciated.