Ooh, this is interesting.
It is an MPSK network yes. I am just in the testing phases.
When I was testing with an already profiled device, in the enforcement profile I do pass the MPSK value back (as per the link I provided).
As a test, I changed the enforcement profile that was being used to be one that included the MPSK and this time the device was able to successfully connect. So it would appear you are correct Herman, the MPSK NEEDS to be specified.
Is it possible to approach profiling on an MPSK network the same way we would on an 802.1x network? Or can profiling be done at all in a MPSK network when it is implemented the way I have it implemented?
We would need the ability to respond back to the client dynamically. The MPSK passphrase is something that is dynamically generated and does not appear to be able to be copied.
It seems to be this isn't exactly possible. We would have to profile in some other way?
Original Message:
Sent: Mar 19, 2024 11:54 AM
From: Herman Robers
Subject: Aruba Central and ClearPass and MPSK
If this is an MPSK SSID, you should also return the MPSK that should be used. Otherwise the controller/AP does not know which MPSK to use and the client is not allowed on the network. But which MPSK should you return for unknown devices? That makes this concept a bit problematic in my view.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 19, 2024 08:25 AM
From: th_son
Subject: Aruba Central and ClearPass and MPSK
Hi there,
Thank you for your reply.
Currently, for the profiling role I am sending back two attributes: Aruba-User-Role and Aruba-User-Vlan. Here is the profile for the profiling action:
Here is the Output from the request:
I have also made sure that the profile exists in Aruba Central.
Within the role in Aruba Central, I have made sure that DHCP is allowed.
Is there anything that would prevent the VLAN from being assigned? I don't think I have run into this before.
Regards,
Todd
Original Message:
Sent: Mar 19, 2024 06:59 AM
From: jonas.hammarback
Subject: Aruba Central and ClearPass and MPSK
Hi
You need to return the VLAN if you don't specify the VLAN in the SSID configuration.
What does the Profiling enforcement profile apply? Is it placing the client on a different VLAN or applying a restrictive role or something special?
For the profiling to work as intended, you have to allow DHCP on the VLAN where the unprofiled client is placed.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 18, 2024 03:44 PM
From: th_son
Subject: Aruba Central and ClearPass and MPSK
Hi,
I am currently testing out MPSK configured via Aruba Central (AP firmware 8.10) and integrated with ClearPass.
I followed a short tutorial I found here: ClearPass MPSK per Device Type with Profiling (adamhollifield.com)
I decided to go with this method because I can see how this solution scales a bit better than individual PSK's for each device registered within ClearPass.
I initially tested it with a device that is already profiled, this worked perfectly.
I am struggling to get a non-profiled device to connect properly.
The SSID is configured as follows:
To my enforcement profile I added a specific step to handle profiling. I am sending back Aruba-User-Role and Aruba-User-Vlan. I noticed that the Aruba-User-Vlan isn't getting assigned. When checking the status of the connected device, it shows the User Role I want, but the VLAN shows 0.
I am new to Aruba Central so I am not 100% familiar with all the ins and outs, but I shouldn't have to define the Vlan in Aruba Central anywhere, do I? I haven't had to do this in the past with on-premises Virtual Controller.
Below is my enforcement policy. It is setup in a similar way to the tutorial, I only added the profiling stage. Sorry if that is an old school way of profiling. It's been a while since I have had to do new configuration in ClearPass so I am a little rusty:
Definitely feel like I am missing something obviously.
Any help would be appreciated.
Regards,
Todd