Security

Hi,

I am currently testing out MPSK configured via Aruba Central (AP firmware 8.10) and integrated with ClearPass.

I followed a short tutorial I found here: ClearPass MPSK per Device Type with Profiling (adamhollifield.com)

I decided to go with this method because I can see how this solution scales a bit better than individual PSK's for each device registered within ClearPass.

I initially tested it with a device that is already profiled, this worked perfectly.

I am struggling to get a non-profiled device to connect properly. 

The SSID is configured as follows:

To my enforcement profile I added a specific step to handle profiling. I am sending back Aruba-User-Role and Aruba-User-Vlan. I noticed that the Aruba-User-Vlan isn't getting assigned. When checking the status of the connected device, it shows the User Role I want, but the VLAN shows 0.

I am new to Aruba Central so I am not 100% familiar with all the ins and outs, but I shouldn't have to define the Vlan in Aruba Central anywhere, do I? I haven't had to do this in the past with on-premises Virtual Controller.

Below is my enforcement policy. It is setup in a similar way to the tutorial, I only added the profiling stage. Sorry if that is an old school way of profiling. It's been a while since I have had to do new configuration in ClearPass so I am a little rusty:

Hi

You need to return the VLAN if you don't specify the VLAN in the SSID configuration.

What does the Profiling enforcement profile apply? Is it placing the client on a different VLAN or applying a restrictive role or something special?

For the profiling to work as intended, you have to allow DHCP on the VLAN where the unprofiled client is placed.

Hi,

I am currently testing out MPSK configured via Aruba Central (AP firmware 8.10) and integrated with ClearPass.

I followed a short tutorial I found here: ClearPass MPSK per Device Type with Profiling (adamhollifield.com)

I decided to go with this method because I can see how this solution scales a bit better than individual PSK's for each device registered within ClearPass.

I initially tested it with a device that is already profiled, this worked perfectly.

I am struggling to get a non-profiled device to connect properly. 

The SSID is configured as follows:

To my enforcement profile I added a specific step to handle profiling. I am sending back Aruba-User-Role and Aruba-User-Vlan. I noticed that the Aruba-User-Vlan isn't getting assigned. When checking the status of the connected device, it shows the User Role I want, but the VLAN shows 0.

I am new to Aruba Central so I am not 100% familiar with all the ins and outs, but I shouldn't have to define the Vlan in Aruba Central anywhere, do I? I haven't had to do this in the past with on-premises Virtual Controller.

Below is my enforcement policy. It is setup in a similar way to the tutorial, I only added the profiling stage. Sorry if that is an old school way of profiling. It's been a while since I have had to do new configuration in ClearPass so I am a little rusty:

Hi there,

Thank you for your reply.

Currently, for the profiling role I am sending back two attributes: Aruba-User-Role and Aruba-User-Vlan. Here is the profile for the profiling action:

Hi

You need to return the VLAN if you don't specify the VLAN in the SSID configuration.

What does the Profiling enforcement profile apply? Is it placing the client on a different VLAN or applying a restrictive role or something special?

For the profiling to work as intended, you have to allow DHCP on the VLAN where the unprofiled client is placed.

Hi,

I am currently testing out MPSK configured via Aruba Central (AP firmware 8.10) and integrated with ClearPass.

I followed a short tutorial I found here: ClearPass MPSK per Device Type with Profiling (adamhollifield.com)

I decided to go with this method because I can see how this solution scales a bit better than individual PSK's for each device registered within ClearPass.

I initially tested it with a device that is already profiled, this worked perfectly.

I am struggling to get a non-profiled device to connect properly. 

The SSID is configured as follows:

To my enforcement profile I added a specific step to handle profiling. I am sending back Aruba-User-Role and Aruba-User-Vlan. I noticed that the Aruba-User-Vlan isn't getting assigned. When checking the status of the connected device, it shows the User Role I want, but the VLAN shows 0.

I am new to Aruba Central so I am not 100% familiar with all the ins and outs, but I shouldn't have to define the Vlan in Aruba Central anywhere, do I? I haven't had to do this in the past with on-premises Virtual Controller.

Below is my enforcement policy. It is setup in a similar way to the tutorial, I only added the profiling stage. Sorry if that is an old school way of profiling. It's been a while since I have had to do new configuration in ClearPass so I am a little rusty:

If this is an MPSK SSID, you should also return the MPSK that should be used. Otherwise the controller/AP does not know which MPSK to use and the client is not allowed on the network. But which MPSK should you return for unknown devices? That makes this concept a bit problematic in my view.

Hi there,

Thank you for your reply.

Currently, for the profiling role I am sending back two attributes: Aruba-User-Role and Aruba-User-Vlan. Here is the profile for the profiling action:

Hi

You need to return the VLAN if you don't specify the VLAN in the SSID configuration.

What does the Profiling enforcement profile apply? Is it placing the client on a different VLAN or applying a restrictive role or something special?

For the profiling to work as intended, you have to allow DHCP on the VLAN where the unprofiled client is placed.

Hi,

I am currently testing out MPSK configured via Aruba Central (AP firmware 8.10) and integrated with ClearPass.

I followed a short tutorial I found here: ClearPass MPSK per Device Type with Profiling (adamhollifield.com)

I decided to go with this method because I can see how this solution scales a bit better than individual PSK's for each device registered within ClearPass.

I initially tested it with a device that is already profiled, this worked perfectly.

I am struggling to get a non-profiled device to connect properly. 

The SSID is configured as follows:

To my enforcement profile I added a specific step to handle profiling. I am sending back Aruba-User-Role and Aruba-User-Vlan. I noticed that the Aruba-User-Vlan isn't getting assigned. When checking the status of the connected device, it shows the User Role I want, but the VLAN shows 0.

I am new to Aruba Central so I am not 100% familiar with all the ins and outs, but I shouldn't have to define the Vlan in Aruba Central anywhere, do I? I haven't had to do this in the past with on-premises Virtual Controller.

Below is my enforcement policy. It is setup in a similar way to the tutorial, I only added the profiling stage. Sorry if that is an old school way of profiling. It's been a while since I have had to do new configuration in ClearPass so I am a little rusty: