Security

Reply
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Automated clearing of macid's in static host list

We're migrating from Alcatel-Lucent switches with local mac authentication to centralized Clearpass 802.1X. Now, every switch has its own database of macid's of which probably 50% are no longer in use.


Our Corporate wired users will be required to authenticate using 802.1X and devices that are not capable of doing so, will fall back to MAC authentication (CP static host lists).

To ensure a seamless migration, we're required to add all known MACID's to Clearpass static host lists, so a lot of garbage we want to get rid of.

 

Is there a way to automatically remove MACID's from the static host list that aren't used in the past 2 months? We're also looking for a way to add a description to a MACID so management and troubleshooting is easier. All suggestions are welcome, thanks!

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Automated clearing of macid's in static host list

You should use the guest device repository instead of SHLs. The GDR can be automatically pruned.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Automated clearing of macid's in static host list

[ Edited ]

Cappalli,

 

Thanks for that, management of that database seems far better!

However, the authentication isn't yet working and here's why I think it fails:

 

The user-name is the MACID without dashes and the one in GDR is with dashes so it doesn't match. In our static host list service, we used the calling-station-id to overcome that problem, but how do I manage that with GDR?

 

EDIT:

Tested this theory with policy simulation and it only works when the username (MACID) contains dashes. Not sure how I can fix it yet..

 

EDIT2:

Authentication works when I set the account as expired without messing with dashes. I'll pick this up on monday.

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Automated clearing of macid's in static host list

Just change the format in the MAC-auth profile on the controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Automated clearing of macid's in static host list

Thanks Tim,

 

We'll go for authenticating with an external SQL database to save some guest licenses.

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Automated clearing of macid's in static host list

The guest device repository does not consume guest licenses.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Automated clearing of macid's in static host list

Ok, we just assumed that it would.. nice!

 

Is there a way to only purge devices in the device repository, not guest repository? We want to remove a macid when it's not authenticated in 2 months but that rule shouldn't apply for guest users.

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Automated clearing of macid's in static host list

I don't believe so. Why not just leave them there until the guest user
prune?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Automated clearing of macid's in static host list

The MACID's we want to authenticate with are primarily non-802.1X  industrial devices that are plugged in for years to come so we want to add them without expiry date. We already use mac authentication but locally on each switch so the list of macid's is huge and hard to manage.

 

So we're looking to either delete inactive (GDR) devices if not authenticated in 2 months to clean up garbage from the past. I found that you can query endpoints.auth_at in insightdb so the information is there.

Occasional Contributor II
Posts: 23
Registered: ‎07-28-2016

Re: Automated clearing of macid's in static host list

We decided to use the GDR without automatic cleaning of accounts so I started with configuration.

 

I created a service which checks if the device is still enabled and the guest type is set to device, that works fine.. I'm now stuck at retreiving the role id. I see you can fetch it from tips_guest_users.attributes but I'm not sure how because it's only a part of the string I need and contains "Role ID": "3" doesnt do the job.

 

Should the attribute Role ID in endpoints update when the device is created? Now it's not and I have no idea how my role mapping rules should look like to retreive the role id.

Search Airheads
Showing results for 
Search instead for 
Did you mean: