Wired Intelligent Edge

- I'm creating a 'profiling' role to be used as a wired pre-auth role on an AOS-CX switch.
- The role will only allow DHCP for the purpose of profiling against ClearPass.
- I would like to use an existing Guest VLAN for this

My question is, is there a way to prevent DHCP responses from reaching the client and an IP address being assigned?
I suppose the real question is, do port-access policies apply to inbound or both inbound/outbound traffic as well?

class ip ANY
    10 match any any any
class ip DHCP
    10 match udp any any eq 67

port-access policy Profiling_ACL
    10 class ip DHCP
    20 class ip ANY action drop

As far as I know the role is applied inbound only (from client to the switch/network).

Have you considered to create a profiling VLAN, which can have a dummy IP and ip-helpers to just the ClearPass server?
Another option is to just use the guest VLAN, and add a captive portal redirect to ClearPass, with the benefit that you might get a browser User-Agent as well from the client that connected for additional profiling. And unless the client is profiled, it allows the end-user to login as wired guest or use an Operator Profile to do device registration. I tend to use the guest-login role/VLAN for profiling because the guest VLAN is open to untrusted users in most cases, so perfect for profiling.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 13, 2022 06:47 PM
From: Chris Denham
Subject: AOS-CX Pre-auth profiling ACL question

- I'm creating a 'profiling' role to be used as a wired pre-auth role on an AOS-CX switch.
- The role will only allow DHCP for the purpose of profiling against ClearPass.
- I would like to use an existing Guest VLAN for this

My question is, is there a way to prevent DHCP responses from reaching the client and an IP address being assigned?
I suppose the real question is, do port-access policies apply to inbound or both inbound/outbound traffic as well?

class ip ANY
    10 match any any any
class ip DHCP
    10 match udp any any eq 67

port-access policy Profiling_ACL
    10 class ip DHCP
    20 class ip ANY action drop

Thanks Herman!

Yes, I've used a profiling VLAN in the past with dummy IP and only helpers pointing to ClearPass.
I was just trying to minimize the number of VLANs deployed this time :)

The reason I'd prefer not to use captive portal in this environment is MAB will be used for devices such as printers that don't behave well to a VLAN change after they've already received an IP address.
Original Message:
Sent: Sep 14, 2022 05:52 AM
From: Herman Robers
Subject: AOS-CX Pre-auth profiling ACL question

As far as I know the role is applied inbound only (from client to the switch/network).

Have you considered to create a profiling VLAN, which can have a dummy IP and ip-helpers to just the ClearPass server?
Another option is to just use the guest VLAN, and add a captive portal redirect to ClearPass, with the benefit that you might get a browser User-Agent as well from the client that connected for additional profiling. And unless the client is profiled, it allows the end-user to login as wired guest or use an Operator Profile to do device registration. I tend to use the guest-login role/VLAN for profiling because the guest VLAN is open to untrusted users in most cases, so perfect for profiling.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 13, 2022 06:47 PM
From: Chris Denham
Subject: AOS-CX Pre-auth profiling ACL question

- I'm creating a 'profiling' role to be used as a wired pre-auth role on an AOS-CX switch.
- The role will only allow DHCP for the purpose of profiling against ClearPass.
- I would like to use an existing Guest VLAN for this

My question is, is there a way to prevent DHCP responses from reaching the client and an IP address being assigned?
I suppose the real question is, do port-access policies apply to inbound or both inbound/outbound traffic as well?

class ip ANY
    10 match any any any
class ip DHCP
    10 match udp any any eq 67

port-access policy Profiling_ACL
    10 class ip DHCP
    20 class ip ANY action drop

That is the reason why you should role/dACLs instead of change VLANs. That dummy VLAN only has local significance, so you don't need to distribute it across your switches, but if the design doesn't match a separate dummy VLAN for profiling, that will not work.

BTW, on wired, I found that when you do a port bounce (long enough), most devices will re-do a DHCP. If you have to do VLAN changes, make sure you combine it with a port-bouce.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 14, 2022 04:27 PM
From: Chris Denham
Subject: AOS-CX Pre-auth profiling ACL question

Thanks Herman!

Yes, I've used a profiling VLAN in the past with dummy IP and only helpers pointing to ClearPass.
I was just trying to minimize the number of VLANs deployed this time :)

The reason I'd prefer not to use captive portal in this environment is MAB will be used for devices such as printers that don't behave well to a VLAN change after they've already received an IP address.
Original Message:
Sent: Sep 14, 2022 05:52 AM
From: Herman Robers
Subject: AOS-CX Pre-auth profiling ACL question

As far as I know the role is applied inbound only (from client to the switch/network).

Have you considered to create a profiling VLAN, which can have a dummy IP and ip-helpers to just the ClearPass server?
Another option is to just use the guest VLAN, and add a captive portal redirect to ClearPass, with the benefit that you might get a browser User-Agent as well from the client that connected for additional profiling. And unless the client is profiled, it allows the end-user to login as wired guest or use an Operator Profile to do device registration. I tend to use the guest-login role/VLAN for profiling because the guest VLAN is open to untrusted users in most cases, so perfect for profiling.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 13, 2022 06:47 PM
From: Chris Denham
Subject: AOS-CX Pre-auth profiling ACL question

- I'm creating a 'profiling' role to be used as a wired pre-auth role on an AOS-CX switch.
- The role will only allow DHCP for the purpose of profiling against ClearPass.
- I would like to use an existing Guest VLAN for this

My question is, is there a way to prevent DHCP responses from reaching the client and an IP address being assigned?
I suppose the real question is, do port-access policies apply to inbound or both inbound/outbound traffic as well?

class ip ANY
    10 match any any any
class ip DHCP
    10 match udp any any eq 67

port-access policy Profiling_ACL
    10 class ip DHCP
    20 class ip ANY action drop