Security

Reply
Guru Elite

Re: Profiling Devices without CoA

No.  In the cluster-wide parameters, you can configure "Profile subnet scan interval" which will say at what intervals it will scan.

 

Quite frankly, you would get much, much more data from adding a DHCP helper-address to the same layer3 interface that your existing helper address is on.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Trusted Contributor I

Re: Profiling Devices without CoA

I have subnet scanning enabled for printer and VoIP vlans only. While I do have dhcp relay enabled for the VoIP phones, I believe subnet scanning is the only option I have for identifying the printers since their IPs are static.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Trusted Contributor I

Re: Profiling Devices without CoA

How do I export the ClearPass logs?

 

-----  EDIT ---------

 

You can export logs via:

 

Administration > Server Manager > Server Configuration:

Click on the radio button beside the server name then click the Collect Logs button.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Trusted Contributor I

Re: Profiling Devices without CoA

Profiling is working in CP now.  Our issue was fixed by deleting an invalid certificate in the Certificate Trust List and restarting the services:

 

  1. Administration > Certificates > Trust List
  2. Set Filter: Enabled equals Enabled
  3. Delete certificate(s) that are showing invalid.
  4. Login to the CP server via CLI.
  5. Login as app admin.
  6. Type: service restart all
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Trusted Contributor I

Re: Profiling Devices without CoA

I need to retract my previous "solution" as we found out that deleting the invalid certificate was not the actual fix.  About a week after I posted the solution, profiling stopped working.  I assumed we were hitting a bug but CP was actually working as designed.  Weird, eh?  I'll keep it short, but here is ultimately what I learned:

 

In a CP cluster, when all CP servers have profiling enabled, only one of the servers can be the master profiler just like you can only have one publisher.  The master profiler is selected via election, and the server with the lowest UUID wins. Although all CP servers may have profiling enabled, only the master profiler can profile devices.  Having an election for the master profiler provides a level of redundancy should something happen to the CP server acting as master profiler.

 

For non-profiling redundancy, enable profiling on only one CP server and point all DHCPs relays to that CP server.

 

For profiling redundancy, enable profiling on X amount of CP servers, and setup DHCP relays to those CP servers.

 

This is what the CP engineers suggested to me after having profiling dificulties for about a month.  I was surprised to find out that of all the people I talked to, no one (colleagues, SEs, TAC) was aware that this is how profiling works in a cluster.  I couldn't find any mention of this in the CP documentation, so I requested that it be added.  Hopefully, it's added so that others don't have the same issue and bang their heads against the wall like I did for a month.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP

Re: Profiling Devices without CoA

@thecompnerd

 

Thanks for posting this information!

We are close to putting our two CPPMs into a cluster and have found it hard to find information on clustering.

 

This will go into my bookmarks incase we run into issues down the road!

 

Cheers

Super Contributor I

Re: Profiling Devices without CoA

Is there a way to view which server has been elected as the master profiler? Right now, I have my dhcp relay configured to go to my publisher, but all servers are configured to profile endpoints. Is the election process dynamic? Right now, most things are being profiled correctly, but I have clients (on the same network, on the same controller) not being profiled. I've opened a case already, but if you have insights on this, I'd appreciate it.

 

Thanks!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: