HP Aruba Certified Professional - Campus Access HPE7-A06 Question # 5 Topic 1 Discussion

To enable DHCP Endpoint Profiling, the switch needs to forward relevant DHCP packets from the client to the ClearPass server. The most common method is configuring the switch to act as a DHCP relay agent for the ClearPass server IP address on the client VLAN's Switched Virtual Interface (SVI).

In scenarios where port access control (like 802.1X or MAC Auth) is enabled, clients might need to send DHCP requestsbeforethey are fully authenticated. To allow this while maintaining security, a pre-authentication role with limited access (specifically allowing DHCP) can be applied to the port initially.

The logical sequence based on the provided steps, assuming a pre-authentication workflow is intended, is:

Create the role:Define the pre-authentication role container and associate it with the appropriate initial VLAN if needed.

Permit DHCP in the role:Apply an Access Control List (ACL) or policy to this role that permits the necessary DHCP traffic (UDP ports 67 and 68). The step provided only mentions UDP 67, which allows the client's initial Discover/Request packets towards the server/relay. (A complete solution requires allowing return traffic on UDP 68 as well).

Apply the role:Configure the client-facing physical interface to use this pre-authentication role before the final role is assigned post-authentication.

Configure DHCP Relay:Configure the ip helper-address command on the client's VLAN SVI. This instructs the switch to forward the DHCP packets it receives from clients in that VLAN to the ClearPass server (in addition to forwarding them to the actual DHCP server). ClearPass receives these packets and extracts information for profiling.

This sequence ensures that even before full authentication, DHCP is permitted, and the necessary packets are relayed to ClearPass for profiling.