Hi Joseph.
When this test is successful, then create a new enforcement profile that will allow DNS and DHCP traffic and HTTP(s) (80, 443) to Clearpass server (if desired). Please read Wired Policy Enforcement Solution Guide for details. You can provide a notification page to the client so it is informed that profiling is going on and need to wait a little bit before it will be allowed to the network.
Original Message:
Sent: Jan 14, 2025 01:11 PM
From: clearpassnoob2024
Subject: rejected in clearpass
Hi Sir,
I have removed the PEAP conditons and just now have two. I am not really sure if I still actually need to replace the Auth Peap Role conditions or having these two conditions only but changing the default provile to Allow access Profile and not deny? also how do I accomplish this? "assign an enforcement that is acceptable for unknown devices, like internet only or even just DHCP such that profiling can happen. In general, you should not reject authentications, but instead accept those with strict needed or acceptable limited access." Thank you so much
Original Message:
Sent: Jan 14, 2025 04:21 AM
From: Herman Robers
Subject: rejected in clearpass
I'm don't think that Full-Username has the value 'username'; I typically use 'Tips:Role EQUALS [User-Authenticated]'; so like your rule 4 but without the other Role matches.
As Gorazd mentions, you can set the default enforcement profile as well, but I personally prefer to use the Tips:Role EQUALS [User-Authenticated] as it's always true for authenticated users, but more because it makes your policy more explicit. You see immediately what the policy does at the bottom, where if it falls through to the default poilicy, it's a bit harder to read.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 13, 2025 05:10 PM
From: clearpassnoob2024
Subject: rejected in clearpass
Hi Herman,
like this?
Original Message:
Sent: Jan 13, 2025 03:01 AM
From: Herman Robers
Subject: rejected in clearpass
In order to profile new/unknown devices, you would need to provide them with some form of access. If you reject the authentication, there is no network connectivity at all, so there won't be profiling possible.
One solution would be to add a rule at the bottom of your enforcement policy that just checks for [User Authenticated] (and not further roles) and assign an enforcement that is acceptable for unknown devices, like internet only or even just DHCP such that profiling can happen.
In general, you should not reject authentications, but instead accept those with strict needed or acceptable limited access.
BTW, you probably should not use PEAP. Encryption for that is broken and unless you fully control your client devices really well, you should consider the user (or computer) credentials to be exposed.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 10, 2025 09:46 PM
From: clearpassnoob2024
Subject: rejected in clearpass
Yes I have already checked that. Also there are other devices able to connect and get the correct profile as well albeit a different laptop model
Original Message:
Sent: 1/10/2025 6:14:00 PM
From: ariyap
Subject: RE: rejected in clearpass
Are you sending client DHCP request to your ClearPass?
Generally you need ip helper command on your router/switch to also point to IP address of ClearPass. This way ClearPass will see the DHCP request and can use it for profiling.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jan 10, 2025 03:55 PM
From: clearpassnoob2024
Subject: rejected in clearpass
Hi, Can someone please help me fix? users are not profiled in clearpass hence rejected... thank you for any help