Security

hi,

we have clearpass with aruba controller with dot1x authentication,

 

i want to profile my smart device , but it doesnt work, how can i do it? i have create role name is smart device, and role mapping if autho endpoint repo is equla to smart device give him smart device role

 

then of enforcment policy i said id endpoint is not equal profile => send dhcp only profile whic is inly send role on controller with any any service dhcp permit , and aruba termination profile, 

 

i have enabled check boxes to nable profiling 

 

please waiting your help

 

thanks

 

You add your ClearPass as an DHCP relay on your Client VLAN at the Core or Distribution switch where the VLAN leaves

i have added cppm and dhcp ip address as ip helper on each vlan interface on my controller,

should i add them also on same vlan on swicthes also?

Yes it needs to be upstream on the client's gateway interface.

As cappalli mentioned it is more efficient to do at the Core or Distribution switch where the SVI actually lives

 

To use the information receive by the ClearPass you need to do the following 

 

- First Add the endpoint database as Authorization Source to your service

.

- Then add the Category/OS Family as Roles/Attributes

 

- And then you can use those in your enforcement policy to apply a certain enforcement profile

 

hi, i have tried the same configuration, but each time am getting an error getting catagory and os type from endpoint ,

 

do i have to create a specific role on initial role on controller?

 

You can use the logon role as a profile role. As the first rule in your service, you can do Category NOT_EXISTS, return the logon role. Be sure the profiler is enabled in your service.

do, i need to bounce the client again?

do i have to add another enforcment profile to update or bounce client?

 

thanks