HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to classify endpoints,

and one of its profiling methods involves analyzing HTTP User-Agent strings to identify device types

(e.g., iPhone, Windows laptop). HTTP User-Agent strings are sent in HTTP headers when a client

accesses a website. For CPPM to profile devices using HTTP User-Agent strings, it must receive the

HTTP traffic from the clients. In this scenario, the company is using Mobility Controllers (MCs),

campus APs, and AOS-CX switches, and CPPM is the only ClearPass solution in use.

HTTP User-Agent Profiling: CPPM can passively profile devices by analyzing HTTP traffic, but it needs

to receive this traffic. In an AOS-8 architecture, the MC can mirror client traffic to CPPM for profiling.

Since HTTP traffic is part of the data plane (user traffic), the MC must mirror the data plane traffic

(not control plane traffic) to CPPM.

Option A, "Create datapath mirrors that use the CPPM's IP address as the destination," is correct. The

MC can be configured to mirror client HTTP traffic to CPPM using a datapath mirror (also known as a

GRE mirror). This involves setting up a mirror session on the MC that sends a copy of the client’s

HTTP traffic to CPPM’s IP address. CPPM then analyzes the HTTP User-Agent strings in this traffic to

profile the endpoints. For example, the command mirror session 1 destination ip source

ip any protocol http can be used to mirror HTTP traffic to CPPM.

Option B, "Create an IF-MAP profile, which specifies credentials for an API admin account on CPPM,"

is incorrect. IF-MAP (Interface for Metadata Access Points) is a protocol used for sharing profiling

data between ClearPass and other systems (e.g., Aruba Introspect), but it is not used for sending

HTTP traffic to CPPM for profiling. Additionally, IF-MAP is not relevant when only CPPM is in use.

Option C, "Create control path mirrors to mirror HTTP traffic from clients to CPPM," is incorrect.

Control path (control plane) traffic includes management traffic between the MC and APs (e.g., AP

registration, heartbeats), not client HTTP traffic. HTTP traffic is part of the data plane, so a datapath

mirror is required, not a control path mirror.

Option D, "Create a firewall whitelist rule that permits HTTP and CPPM's IP address," is incorrect. A

firewall whitelist rule on the MC might be needed to allow traffic to CPPM, but this is not the primary

step for enabling HTTP User-Agent profiling. The key requirement is to mirror the HTTP traffic to

CPPM, which is done via a datapath mirror, not a firewall rule.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"To enable ClearPass Policy Manager (CPPM) to profile devices using HTTP User-Agent strings, the

Mobility Controller (MC) must mirror client HTTP traffic to CPPM. This is done by creating a datapath

mirror session that sends a copy of the client’s HTTP traffic to CPPM’s IP address. For example, use

the command mirror session 1 destination ip source ip any protocol http to mirror HTTP

traffic to CPPM. CPPM then analyzes the HTTP User-Agent strings to classify endpoints by type (e.g.,

iPhone, Windows laptop)." (Page 350, Device Profiling with CPPM Section)

Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes:

"HTTP User-Agent profiling requires ClearPass to receive HTTP traffic from clients. In an Aruba

Mobility Controller environment, configure a datapath mirror to send HTTP traffic to ClearPass’s IP

address. ClearPass will parse the HTTP User-Agent strings to identify device types and operating

systems, enabling accurate profiling." (Page 249, HTTP User-Agent Profiling Section)

:

HPE Aruba Networking AOS-8 8.11 User Guide, Device Profiling with CPPM Section, Page 350.

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, HTTP User-Agent Profiling

Section, Page 249.

===========