View Only
last person joined: 2 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Juniper Switch ClearPass Profiling

This thread has been viewed 13 times
  • 1.  Juniper Switch ClearPass Profiling

    Posted Aug 18, 2022 04:53 PM

    We are in the process of rolling out MAC Authentication on our wired ports students use across campus. We are not utilizing dot1x at this time. We have been able to get MAC Auth functioning fully on our Juniper switches however, we cannot get fingerprints to ClearPass for some reason.

    We have already added dhcp relay options to our routing-instances and forwarding options. This seems to be the correct configuration, but is not working. Anyone ever get this working and have any suggestions?

    Please note we have been able to make this work in our dorms that have Aruba-CX switches.



  • 2.  RE: Juniper Switch ClearPass Profiling

    Posted Aug 19, 2022 04:45 AM
    There is a big chance that the DHCP packets don't reach ClearPass. With a Collect Logs on ClearPass, you can run a packet capture to validate if the relayed DHCP packets actually reach ClearPass.

    Some switches don't support DHCP relay and server on the same instance; most switches require a L3 IP in the VLAN to forward DHCP packets; it my be that switches are 'intelligent' and see that certain servers never reply and mark the ip helper 'dead'.

    First step is to make sure the packets actually reach ClearPass. Then if they don't find out if they are actually sent by the switch, and if so where they are lost.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: Juniper Switch ClearPass Profiling

    Posted Aug 26, 2022 05:35 PM

    In our case, there are firewalls that connect to the Juniper switches. The firewall needs DHCP relay for each VLAN and interface (i.e. interface of the firewall connecting to the switch, or each VLAN of the trunk that connects the firewall to the switch). So that should already be in place.

    What you need is to add both the Publisher and Subscriber (if you use one) of ClearPass to the firewall's list of DHCP relays. And make sure you use ALL ports that ClearPass has - we have the "data" and "management" ports in our DHCP Relay configs because you never know which way the DHCP Relay request will arrive...and both port types can answer the request.

    Keep in mind, you'll only get DHCP profile data from a device that is doing DHCP requests...if the device has a static IP, and it gets on the wrong VLAN, it won't connect. So I'd expect any VLAN you try to use for "dynamic VLAN" will have devices with DHCP enabled.

    Good luck!