Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Some endpoints not getting profiled for some reason?

This thread has been viewed 13 times

  • 1.  Some endpoints not getting profiled for some reason?

    Posted Nov 07, 2016 12:40 PM

    We have some endpoints that aren't getting profiled for some reason and I can't figure out why. My VOIP guy is plugging in new out of the box Cisco phones and they aren't getting profiled. Even though we already have hundreds of this exact same phone model and OS on the network. Why is it randomly not profiling these phones? 

     

    We're on 6.6.0.81015. Cisco switches are 4507 running  03.06.04.E. Under Endpoint Profiler, I currently show 636 of these model phones that I'm having issues with. 



  • 2.  RE: Some endpoints not getting profiled for some reason?

    EMPLOYEE
    Posted Nov 07, 2016 12:57 PM

    Are you using a second ip helper-address so send a copy of the DHCP traffic to clearpass?  That is the only way they would be profiled..



  • 3.  RE: Some endpoints not getting profiled for some reason?

    Posted Nov 07, 2016 01:00 PM
    Are those devices getting an IP address and if yes then are you using ClearPass as a DHCP relay under the VOIP layer 3 VLAN so that ClearPass can receive the profile information?

    Get Outlook for iOS


  • 4.  RE: Some endpoints not getting profiled for some reason?

    Posted Nov 07, 2016 01:04 PM

    Yes there is an ip-helper address. It's obviously working by the fact that I already have 636 of these exact phones succefully authorized. 

    We have three helper addresses on our SVI, two are the DHCP servers and the third is the ClearPass server



  • 5.  RE: Some endpoints not getting profiled for some reason?

    Posted Nov 07, 2016 01:30 PM
    Are you using the profile information to allow access ? If yes then you need either allow the phone to connect to a port that doesn't have authentication enabled so it can get an IP address or enable the profiler to the service
    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-with-802-1x-and-endpoint-profiling-of-ip-phones-Aruba/td-p/232092


    Get Outlook for iOS


  • 6.  RE: Some endpoints not getting profiled for some reason?

    Posted Nov 07, 2016 02:09 PM

    For the service that it is hitting, I do not have "Profile Endpoints" checked and it is using the Endpoint Repository as the authentication source. 

     

    Edit: the consultant who helped me set this up advised against checking the box for "profile endpoints". I'm not sure why he suggested that, but are you saying I should enable it on this service?



  • 7.  RE: Some endpoints not getting profiled for some reason?

    EMPLOYEE
    Posted Nov 07, 2016 02:54 PM

    Profiling should be independent of a service.  You should search for those devices in the endpoint database.



  • 8.  RE: Some endpoints not getting profiled for some reason?

    Posted Nov 07, 2016 03:22 PM
    Adding the Profiler on your service allows you to dynamically profile devices .

    You can place the device in a transition VLAN (Just to get DHCP and get profiled by ClearPass) and also make sure to send a CoA during that process so that way the device will be force to reauth and on the second auth ClearPass will have the Profiling information and then you should be able to use that information to provide access in your enforcement policy