10-06-2017 03:30 AM
our scenario is, that we have a lot of devices which we want to authenticate with an wildcard. The Wildcard work this way.
1. The Mac OUI has to be the one for example "HP". (Service Rules)
2. The Device Category has to be "Printer". (Enforcement Policy Rules)
This works fine if the Device is already profiled and registred in the local endpoint repository.
If a new HP Printer authenticates the first time, Point 1 (MAC OUI) works properly, but the DHCP Fingerprint isnt availble yet. This means that the printer will be rejected. If we connect the device again, the Printer will be accepted, because the DHCP Fingerprint has been done after the first Authentication.
Are there any possibilitys to get those DHCP Fingerprint Informations for new devices for the first authentication?
Solved! Go to Solution.
10-07-2017 01:51 AM
The trick, in summary, is that you allow all devices to the network (Allow All MAC), but unknown devices are placed in an isolated or very limited VLAN where you can let the profiling take place, so it needs to have an IP helper, clients do not necessarily need to get an IP address.
When ClearPass profiled the device, it will trigger a port-bounce (wired) or reconnect (wireless) and put the client in the right VLAN/role.
If you allow limited access in that 'profiling VLAN', and for example redirect traffic to the ClearPass Guest captive portal, you can even do HTTP profiling for most clients which gives even more reliable fingerprint data.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).