Security

Reply
Frequent Contributor I

Clearpass Profiling with DHCP

Hi,

 

We are using ClearPass 6.8.0.

Under "Endpoints" I don't see a lot of information, so I tried to enable the profiling. But I seems that the checkbox "Enable Profile" under Administration --> Server Manager --> Server Configuraiton--> System was removed. Is there a new way to activate this feature?

 

What do I further have to do to get more device information?

Do I also have to enable a DHCP helper on our WIFI Controller to forward DHCP Traffic to CPPM as descriped here to get it working:

 

https://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserGuide/PolicyProfile/Collectors.htm

 

Currently we do not configure any DHCP on the wifi controller.

We have a lot of VLANs which are terminated at our distribution router, there we have the DHCP helpers. I am not sure what happend, when I configure a helper on the wifi controller which points to the CPPM. Does all the DHCP traffic then goes to CPPM? I think than our clients would not get IPs any more, right?

 

 

Frequent Contributor I

Re: Clearpass Profiling with DHCP

You need to add CPPM as an ip helper on all your user subnets in order to get fingerprinting. If you have a VIP, just add the VIP. You only need to add the profiler on your subscriber if you have a pub/sub/x environment. The subscriber will forward the information to the publisher.

 

CPPM will not act on the DHCP discover, it just will just use it for fingerprinting and then discard it. You need to add it in addition to your other IP helpers which will go to your DHCP server(s)

Frequent Contributor I

Re: Clearpass Profiling with DHCP

Thanks for your reply!

 

So, I have to configure two DHCP helpers for each VLAN:

- First helper points to CPPM

- Second helper points to the real DHCP Server

right?

 

So I also have to creat an interface on each vlan, right?

At the moment we don't have any interfaces configured on our md's except the management interface.

 

Does it have any speed impact for the whole authentication process, because I think there is no response from the CPPM on the DHCP discover and then the whole DHCP process starts again with the real DHCP...

 

 

Frequent Contributor I

Re: Clearpass Profiling with DHCP

You will put the additional helper on wherever you have your L3 interfaces, same as your DHCP helper. Generally the L3 interfaces will be on an upstream device when using a cluster, but it depends on your environment and version. It sounds like you're on 8.x, so if you have your user VLAN interfaces on the upstream routers, then just add your clearpass IP as an additional helper on those user SVIs.

 

"Does it have any speed impact for the whole authentication process, because I think there is no response from the CPPM on the DHCP discover and then the whole DHCP process starts again with the real DHCP..."

 

I haven't seen that in my environment (multiple MDs, 2x 25K CPPM appliances w/ Cisco N7K upstream. DHCP takes around 7 seconds for me whether or not I have CPPM added for fingerprinting. I would love to reduce this but haven't figured out if that's possible.

Highlighted
Frequent Contributor I

Re: Clearpass Profiling with DHCP

OK, Thanks.

 

CPPM have to stay on first position in the DHCP helper list in the router, right?

 

Regarding the mising profile checkbox on CPPM, is it enabled by default at the 6.8.0 version?

Frequent Contributor I

Re: Clearpass Profiling with DHCP

Doesn't have to be. I have it as the third helper in my environment.

 

Regarding the defaults, I don't know. I am not running that version.

MVP Guru

Re: Clearpass Profiling with DHCP

The setting moved into the Master Server in Zone setting:

Screen Shot 2019-10-11 at 10.39.05.png

In the older versions before 6.7, you could turn it on or off, where on meant an automatic selection of the Profiler master, now you can put the profiling master to a specific (less occupied) ClearPass node in your cluster zone. Note that all nodes in the cluster can receive the DHCP requests from IP helpers, the non-master will just forward it to the master to be processed.

 

Please note that you also need to have an active Access License on ClearPass to have Profiling enabled.

 

Do you see the DHCP requests reaching your ClearPass server?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: