Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor I

MAC Authentication - Clearpass Aruba AP - Profiling no DHCP

So I have followed instructions based on the youtube.

 

Aruba ClearPass Workshop -

Wired #2 - Wired MACAUTH with ArubaOS switch

 

Aruba ClearPass Workshop -

Wired #3 - ClearPass Profiler for wired

 

My problem is with Aruba AP and IP Intercom - brand new - unknown endpoints

1) I plug in device - it goes thru the MAC AUTH service - in the Enforcement policy

auth.PNG

2)  Gets user authenticated and profiler - COA bounce port

3)  When it comes back it switches to the VOIP vlan  or intercom vlan

 

Heres the problem it keeps the old IP address or drops the ip address because the port only disables does not remove power so it will not get another ip address until I reboot the port ( disable power or unplug the device).

 

Anyone experience this or what do you do with Access points and or IP Intercom.

 

 

 

 

 

 

 

Highlighted
MVP Guru Elite

Re: MAC Authentication - Clearpass Aruba AP - Profiling no DHCP

hi,

 

it will be better to post on ClearPass forum

 

what the status of endpoint ? on Endpoint ?



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
MVP Guru

Re: MAC Authentication - Clearpass Aruba AP - Profiling no DHCP

Do you see the port bounce actually happen? For how long?

 

Most devices will on a port down try to get a new IP address. For some devices, you might need to configure a longer port-bounce, but there might be devices that don't get a new IP regardless. If you will wait patiently, some devices will reboot eventually if they can't connect to their services and at that point get the right access. I don't think a PoE bounce is possible as of today with ArubaOS switches, so if you would like to see that ask your partner or Aruba SE to open an enhancement request if increasing the port bounce time does not help.

 

Note that what you describe only applies to brand new devices, and only the first time they connect. In most cases, you can just accept if it takes 5-10 minutes before a device gets into the right access as they are not yet 'in production'. Your network is at least secured.

 

Also, make sure that the device can get an IP in the new role/VLAN, so DHCP is available, working and the DHCP requests are allowed. You can check that in the 'show port-access clients <port-number> detailed'.

 

Edit: one other suggestion could be to set very low DHCP timers, like 60 seconds of a few minutes for your profiling VLAN. Then the device, if it honors the DHCP lease period, should try to get a new IP much faster.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: