Device profiles
Device profiles rely on role configurations. For information on role configurations, see theSecurity Guide.
Device profiles are used to dynamically assign port attributes based on the type of devices connected, without having to create a RADIUS infrastructure. You can map device profiles to device groups. A device group contains various match criteria, which can be obtained from multiple sources, such as LLDP, CDP, and local MAC match. Device profiles contain port attributes to be assigned to the port when a connected device matches a device group.
Device profiles are supported on different scenarios. It can be applied on interfaces that are configured with security (802.1X or MAC authentication), or applied based on L2 port (LLDP, CDP), or applied on standalone ports with the block-until-profile-applied command enabled. All the methods are mutually exclusive of each other. The block-until-profile-applied mode must be configured only when there is a standalone port where no security has been configured and when you want the port to be offline until at least one client is onboarded based on the match and ignore criteria that you configure. Local MAC match is supported when you configure block-until-profile-applied command or device profile with security.
See theSecurity Guide以下命令:
The
port-access onboarding-method precedencecommand—If you are configuring both security and device profile on the port, and you want to configure the order in which the methods will be executed.The
port-access fallback-rolecommand—If you want to configure a role that must be applied to devices when no other role exists or can be derived for that device.
如果你配置一个垫子上ch criteria that matches across multiple device profiles, then the priority considered is LLDP, CDP, and then local MAC match. That is, LLDP precedes over CDP, which in turn precedes over local MAC match.
The following figure displays a simple configuration of device profile and AAA authentication with RADIUS server and Aruba ClearPass Policy Manager. Local MAC match feature is useful when you do not want to afford RADIUS infrastructure or when you want to use local authentication as a backup method in case the RADIUS server is unreachable.
