Security

Let me start out with I do have an active TAC case open with Aruba currently.  But, I am fishing to see if anyone out here is or has experienced the same type of problem.

Our cluster consists of 8 (25k) nodes of which two are configured as profilers.  We have roughly 250k objects in our endpoints DB and the systems appear to be keeping up fine.

The problem is in the service, we have Profiling enabled and finished with an Aruba Port Bounce once profiling is completed.  This is taking roughly 5 minutes for the profiling to complete - part of the problem.  SEcond part of the problem is that some devices such as printers, security devices, environmentals etc. don't respond to a second AUTH request once the port has bounced because the device has an IP and is on the network.

So two problems - one is profiling performace and the second is non-intelligent compute devices ignore a second AUTH.  What can be done to improve profiling performance and what are others doing for devices that need Corporate network access but are incapable of 802.1x?

Thank you for any input.

Hi,

how are you profilling the devices? are you relying on RADIUS and HTTPn user agent informaiton? are you sending DHCP to clearpass as well?

The service is setup to do profiling and we do have the IP helpers pointed to ClearPass.  We do see the profiling occuring - the problem is it is taking way too long to complete - 6+ minutes as an average now.

Hi

Did you get any clarification in this question. I have a similar issue with profiling that takes really long time.

I can see the DHCP requests be sent to ClearPass, but the profiling event doesn't happens. Sometimes even more than 5 minutes.

Hello there - to answer your question.  We did work with Aruba TAC and what we found in our version of CPPM at the time 6.6.7, the profiler was unable to complete because it was back-logged due to the DB size.  The cleanup interval was not really doing the cleanup necessary to reduce the DB size down to a managable size.  Aruba TAC developed a set of scripts/patches to clean the DB which was a manual process but the TAC engineer assigned to our case was awesome.  Once we reduced the DB size down to under 400k objects, the cleanup interval started to work as designed.  Once that was clean, our profiling stopped altogether - CPPM would not profile another device.  It was at that point that Aruba determined that we had reached to max number of objects permitted to be profiled.  There is a limit to the number of devices that can be profiled in total over CPPM's existence.  So another TAC case with Aruba was opened and TAC was able to reset the counters again to permit CPPM to profile devices.  We are now on 6.6.9 and profiling is taking no more than 45 seconds.

Thank you for the detailed answer.

I also found this aricle describing that ClearPass only perform profiling once every 5 minutes for a given device.

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-limitation-in-ClearPass-for-DHCP-based-profiling/ta-p/216413

This is more the scenario I'm facing at the moment.