Wired Intelligent Edge

So I have followed instructions based on the youtube.

Aruba ClearPass Workshop -

Wired #2 - Wired MACAUTH with ArubaOS switch

Aruba ClearPass Workshop -

Wired #3 - ClearPass Profiler for wired

My problem is with Aruba AP and IP Intercom - brand new - unknown endpoints

1) I plug in device - it goes thru the MAC AUTH service - in the Enforcement policy

2)  Gets user authenticated and profiler - COA bounce port

3)  When it comes back it switches to the VOIP vlan  or intercom vlan

Heres the problem it keeps the old IP address or drops the ip address because the port only disables does not remove power so it will not get another ip address until I reboot the port ( disable power or unplug the device).

Anyone experience this or what do you do with Access points and or IP Intercom.

hi,

it will be better to post on ClearPass forum

what the status of endpoint ? on Endpoint ?

Do you see the port bounce actually happen? For how long?

Most devices will on a port down try to get a new IP address. For some devices, you might need to configure a longer port-bounce, but there might be devices that don't get a new IP regardless. If you will wait patiently, some devices will reboot eventually if they can't connect to their services and at that point get the right access. I don't think a PoE bounce is possible as of today with ArubaOS switches, so if you would like to see that ask your partner or Aruba SE to open an enhancement request if increasing the port bounce time does not help.

Note that what you describe only applies to brand new devices, and only the first time they connect. In most cases, you can just accept if it takes 5-10 minutes before a device gets into the right access as they are not yet 'in production'. Your network is at least secured.

Also, make sure that the device can get an IP in the new role/VLAN, so DHCP is available, working and the DHCP requests are allowed. You can check that in the 'show port-access clients <port-number> detailed'.

Edit: one other suggestion could be to set very low DHCP timers, like 60 seconds of a few minutes for your profiling VLAN. Then the device, if it honors the DHCP lease period, should try to get a new IP much faster.

So what I showed on my picture worked as designed.  That was a picture of our services > Enforcement profile. 

So a new endpoint would not match anything on the enforcement profile until the very end - it would get user authenticated and wired-device-profile. 

The switch port would be assigned a vlan XX and bounce the port and get an IP Address.

Next time the device comes of it gets profiled because of the IP address and assigned a new vlan according to the enforcement profile.

If you see my AP's had to be in the Endpoint Repository before getting assigned to the proper vlan.  So now that it was profiled it would get the new vlan.

Here is the problem - the AP holds on to the old ip address and the port get assigned a new vlan.  The port bounce by clearpass only bounce the data not the power.  So the AP still has an IP from the old vlan and will only release if you remove power and plug it back in.

I had the same problem with both intercom and AP. 

*********************************************************************

However, I changed my enforcement profile to say -

Connection: Client-Mac-Vendor CONTAINS Aruba -  wired-wifi-guhsd

Now that device comes up and assigned the proper vlan and ip address on the first round.