Introduction- We might have a scenario where we want to allow any MAC addresses that begin with a specific OUI. In the scenario we are discussing below the use case is like allowing Printers from HP on the MAC Auth SSID with OUI "0D1E15". In that case we can create a Static Host List using Regular expression that can make sure that it allows MAC addresses that come in all formats.
Environment- This article has been tested in ClearPass version 6.4.4 and is expected to work in all ClearPass versions till date.
Configuration Steps- We need to create a Static Host List of Host type "MAC Address" and Host Format "Regular Expression" as shown in the screenshot below.
You need to navigate to Configuration>>Identity>>Static Host Lists
The Regular Expression that we are using in this case allows any MAC address that begins with "0D1E15" irrespective of the MAC address format like colon,hyphen as delimiters or without any delimiters and the both upper and lower case of the MAC address.
^0[Dd][:-]?1[Ee][:-]?15([:-]?[0-9a-fA-F]{2}){3}$
A brief explanation of the Regular expression above is 0[Dd] in the regex tells us we are allowing 0D or 0d [:-]? allows colon : hyphen - or nothing between 2 characters in the MAC address. After that we have similar sections for 1E and 15 and later ([:-]?[0-9a-fA-F]{2}){3} this section allows 3 sets of 2 Hex values each beginning with a colon,hyphen or nothing.
Once we create a Static Host List we need to create an authentication source that has the Static Host List and map it as an auth source.
We need to navigate to Configuration>>Authentication>>Sources>>Add
Once we click on Add you would have an option of choosing the type of authentication source and we need to choose
Once we choose Static Host List we can map it in this auth source. Please note that we can add multiple Static Host lists to one authentication source.
The authentication source created can be mapped to our MAC authentication SSID and used to authenticate clients.
Answer- Please note that the Regular Expression above can be customized easily for the OUI we need.
^70[:-]?5[aA][:-]?[Bb]6([:-]?[0-9a-fA-F]{2}){3}$
for allowing anything that begins with "705AB6" in various formats.
Verification- Configure a MAC authentication service and verify that MAC authentication is working with MAC addresses in the given format.'
Troubleshooting- We can use the link below to validate the Regular Expression
http://regexpal.com/