Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

DHCP Fingerprint in large deployment

This thread has been viewed 0 times

  • 1.  DHCP Fingerprint in large deployment

    Posted Jan 09, 2020 09:20 AM

    Hello, I'm doing a large deployment of CPPM (20 servers in the cluster - Version 6.8.4) that spreads across three locations. I will have 1 Publisher at local A, 1 Standby-Publisher at local B, and 18 subscriber (6 per each local). 

     

    I saw that I should divide in three zones in clearpass to avoid unecessary traffic between wan links. Then I should set a primary master and secondary master to process the profiling for each zone. Is it correct?

     

    My other doubt is about DHCP Relay.

    As I know only the Publisher can write the database.

    So, is best to set the ip helper (DHCP relay) directly to the Publisher(In other zone), or is best to point to the Master Server of the zone?



  • 2.  RE: DHCP Fingerprint in large deployment

    EMPLOYEE
    Posted Jan 09, 2020 11:36 AM

    Check this document page 37 for more details

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33256

     

    OpenEnabling Endpoint Classification

    To enable endpoint classification, you must configure the Master Server in Zone parameter by specifying the Primary master server and Secondary master server (for more information, see Master Server in Zone). If you don't specify the primary master server in the zone, ClearPass will automatically select the node in the zone with the lowest UUID (universally unique identifier).

    When you enable the ClearPass server for endpoint classification, this associates each endpoint with a specific user or location and secures access for other devices.

     

     

    Master Server in Zone

    Use this option to specify the current ClearPass server as the Primary or Secondary master ClearPass server within a Policy Manager zone.

    NOTE: If no Primary master server for a zone is configured, the ClearPass server with the lowest UUID is designated as the Primary master server.

    To do so, select Primary master or Secondary master from the drop-down list.

    The Primary master ClearPass server in the zone distributes the scan requests to all the nodes in the zone, depending on the number of seed devices (Network Discovery) or the number of networks/subnets (for Subnet Scans) configured.

    NOTE: If the Primary master server goes down, the Secondary master server assumes the role of the Primary master server.

    Each scan configuration that is added is distributed by the Master ClearPass server to a different node in the zone.

    If one scan configuration has multiple seed devices (Network Discovery), scan requests are distributed to other nodes in the zone based on the number of ARP entries received from the seed devices.

    If one scan configuration has multiple subnets configured (Subnet Scan), scan requests are distributed to other nodes in the zone.

     

    Add publisher IP as DHCP IP helper, we can also add subcriber IP aswell.



  • 3.  RE: DHCP Fingerprint in large deployment

    Posted Jan 09, 2020 12:23 PM

    Thank you Pavan... I will configure the Primary and Standby Publisher as the two DHCP Relay.