As far as I know the role is applied inbound only (from client to the switch/network).
Have you considered to create a profiling VLAN, which can have a dummy IP and ip-helpers to just the ClearPass server?
Another option is to just use the guest VLAN, and add a captive portal redirect to ClearPass, with the benefit that you might get a browser User-Agent as well from the client that connected for additional profiling. And unless the client is profiled, it allows the end-user to login as wired guest or use an Operator Profile to do device registration. I tend to use the guest-login role/VLAN for profiling because the guest VLAN is open to untrusted users in most cases, so perfect for profiling.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 13, 2022 06:47 PM
From: Chris Denham
Subject: AOS-CX Pre-auth profiling ACL question
- I'm creating a 'profiling' role to be used as a wired pre-auth role on an AOS-CX switch.
- The role will only allow DHCP for the purpose of profiling against ClearPass.
- I would like to use an existing Guest VLAN for this
My question is, is there a way to prevent DHCP responses from reaching the client and an IP address being assigned?
I suppose the real question is, do port-access policies apply to inbound or both inbound/outbound traffic as well?
class ip ANY
10 match any any any
class ip DHCP
10 match udp any any eq 67
port-access policy Profiling_ACL
10 class ip DHCP
20 class ip ANY action drop