07-28-2016 11:52 PM
We're migrating from Alcatel-Lucent switches with local mac authentication to centralized Clearpass 802.1X. Now, every switch has its own database of macid's of which probably 50% are no longer in use.
Our Corporate wired users will be required to authenticate using 802.1X and devices that are not capable of doing so, will fall back to MAC authentication (CP static host lists).
To ensure a seamless migration, we're required to add all known MACID's to Clearpass static host lists, so a lot of garbage we want to get rid of.
Is there a way to automatically remove MACID's from the static host list that aren't used in the past 2 months? We're also looking for a way to add a description to a MACID so management and troubleshooting is easier. All suggestions are welcome, thanks!
Solved! Go to Solution.
07-29-2016 03:45 AM
07-29-2016 06:32 AM - edited 07-29-2016 07:26 AM
Thanks for that, management of that database seems far better!
However, the authentication isn't yet working and here's why I think it fails:
The user-name is the MACID without dashes and the one in GDR is with dashes so it doesn't match. In our static host list service, we used the calling-station-id to overcome that problem, but how do I manage that with GDR?
Tested this theory with policy simulation and it only works when the username (MACID) contains dashes. Not sure how I can fix it yet..
Authentication works when I set the account as expired without messing with dashes. I'll pick this up on monday.
08-04-2016 06:38 AM
Ok, we just assumed that it would.. nice!
Is there a way to only purge devices in the device repository, not guest repository? We want to remove a macid when it's not authenticated in 2 months but that rule shouldn't apply for guest users.
08-04-2016 07:14 AM
08-04-2016 07:27 AM
The MACID's we want to authenticate with are primarily non-802.1X industrial devices that are plugged in for years to come so we want to add them without expiry date. We already use mac authentication but locally on each switch so the list of macid's is huge and hard to manage.
So we're looking to either delete inactive (GDR) devices if not authenticated in 2 months to clean up garbage from the past. I found that you can query endpoints.auth_at in insightdb so the information is there.
08-08-2016 02:50 AM
We decided to use the GDR without automatic cleaning of accounts so I started with configuration.
I created a service which checks if the device is still enabled and the guest type is set to device, that works fine.. I'm now stuck at retreiving the role id. I see you can fetch it from tips_guest_users.attributes but I'm not sure how because it's only a part of the string I need and contains "Role ID": "3" doesnt do the job.
Should the attribute Role ID in endpoints update when the device is created? Now it's not and I have no idea how my role mapping rules should look like to retreive the role id.