Device profiles

NOTE:

Device profiles rely on role configurations. For information on role configurations, see the Security Guide.

Device profiles are used to dynamically assign port attributes based on the type of devices connected, without having to create a RADIUS infrastructure. You can map device profiles to device groups. A device group contains various match criteria, which can be obtained from multiple sources, such as LLDP, CDP, and local MAC match. Device profiles contain port attributes to be assigned to the port when a connected device matches a device group.

Device profiles are supported on different scenarios. It can be applied on interfaces that are configured with security (802.1X or MAC authentication), or applied based on L2 port (LLDP, CDP), or applied on standalone ports with the block-until-profile-applied command enabled. All the methods are mutually exclusive of each other. The block-until-profile-applied mode must be configured only when there is a standalone port where no security has been configured and when you want the port to be offline until at least one client is onboarded based on the match and ignore criteria that you configure. Local MAC match is supported when you configure block-until-profile-applied command or device profile with security.

See the Security Guide for the following commands:

  • The port-access onboarding-method precedence command—If you are configuring both security and device profile on the port, and you want to configure the order in which the methods will be executed.

  • The port-access fallback-role command—If you want to configure a role that must be applied to devices when no other role exists or can be derived for that device.

If you configure a match criteria that matches across multiple device profiles, then the priority considered is LLDP, CDP, and then local MAC match. That is, LLDP precedes over CDP, which in turn precedes over local MAC match.

The following figure displays a simple configuration of device profile and AAA authentication with RADIUS server and Aruba ClearPass Policy Manager. Local MAC match feature is useful when you do not want to afford RADIUS infrastructure or when you want to use local authentication as a backup method in case the RADIUS server is unreachable.

Figure 2: Example of device profile setup along with RADIUS infrastructure