Security

If the device hasn't been profiled yet, you will see that.

It's more informational. You shouldn't need to worry about it.

User can't access to my network because clearpass can't classify device category

Is it because I choose dot1X authentication. how i solve it

You need to add an interim profile role to allow ClearPass to properly profile the device and then re authenticate. 


Thanks, 
Tim

how can i re authenticate device again ??

 

 

 

you can send a CoA or you can just disconnect and connect the client, a short reauth timer might also be a possibility.

If you are using the endpoint database to make decision using the device type then you should create a rule at the bottom of your logic that if the hasn't been profiled then to allow them thru for a short period of time so it can get an IP address and get profiled and then CoA / Aruba terminate the device with the profiler ( you can enable this in the service)

I am having the same issue and it is frustrating! I have been in contact with TAC and still, the problem is not solved. The designated roles have been updated to allow that client to get an IP so that the CPPM can proceed with the appropriate profiling. Even after such changes, we can see that the client continues to get the issue from the snip below...

Did you configure ClearPass as DHCP relay under the VLAN the device lands ?
What type of authentication are you using?

Hi Victor,

 

Did you configure ClearPass as DHCP relay under the VLAN the device lands?

I do not believe that the CPPM was configured for a DHCP relay, but I can check. I will need some guidance on how to confirm this. But what I can say is that all DHCP requests are going to our DHCP server and all clients are getting IP'd, but we can see that the profiling is not occurring as expected.

What type of authentication are you using?

Based on the "Service" summary for our corporate network, the authentication methods being used are EAP PEAP, EAP MSCHAPv2, and EAP TLS. The authentication source is our AD server.

 

If you guys are using profiling information as a mechanism to allow devices to get on the 802.1X network (Layer 2 Authentication) , you guys need to do the following:

• The typical method used to do profiling is adding ClearPass as an additional DHCP relay on the VLAN, once the device obtains an IP address then it will be profiled
• When using a layer 2 authentication devices don’t get an ip address until the device/user is allowed on the network
• In your Enforcement Policy you need to include a rule that if the device is not profiled return a VLAN ("transitional" VLAN that allows the device to get profiled) and also you will need to execute a CoA to your Controller or Switch (need to make sure you enable RFC3576)