Security

All,

I have a customer that is looking to blacklist MAC addresses by entering them into the Clearpass server. They have configured the following:

1. Created an Blacklist authentication source that's a static host list.

2. Created a MAC Authentication Service for Blacklisting

    i. This service has a NAS-Port-Type of BELONGS_TO Wireless-802.11 (19)

    ii. This service has a Service-Type of BELONGS_TO Login-User (1), Call-Check (10)

    iii. This service has an Authentication Source EQUALS to Blacklist

3. The Blacklisting Service is enabled.

4. The Role Mapping is setup to send an Aruba VSA for a defined rule on the controller via an enforcement profile

5. The Blacklist Static Host List

This is basically a copy of the default MAC Authentication profile with a new authentication source.

Has anyone tried to set up something similar within CPPM? Any luck or tips to pull it off?

I'll be able to post Access Tracker output information about this service either tomorrow or the next day.

Thanks!

-Mike

The question is, do you simply want to just reject devices that are in a static host list?

You just:  Create a static host list full of mac addresses.

Once done, you can use a rule that reads " Connection:Client Mac Address BELONGS_TO_GROUP <static-host-list> --> send back an enforcement profile that has a reject.

Colin,

I forgot to thank you for this. Your advice was spot on - as usual!

-Mike

Glad I could even help, Mike.