07-16-2013 07:51 PM - edited 07-16-2013 07:52 PM
I have a customer that is looking to blacklist MAC addresses by entering them into the Clearpass server. They have configured the following:
1. Created an Blacklist authentication source that's a static host list.
2. Created a MAC Authentication Service for Blacklisting
i. This service has a NAS-Port-Type of BELONGS_TO Wireless-802.11 (19)
ii. This service has a Service-Type of BELONGS_TO Login-User (1), Call-Check (10)
iii. This service has an Authentication Source EQUALS to Blacklist
3. The Blacklisting Service is enabled.
4. The Role Mapping is setup to send an Aruba VSA for a defined rule on the controller via an enforcement profile
5. The Blacklist Static Host List
This is basically a copy of the default MAC Authentication profile with a new authentication source.
Has anyone tried to set up something similar within CPPM? Any luck or tips to pull it off?
I'll be able to post Access Tracker output information about this service either tomorrow or the next day.
Solved! Go to Solution.
07-16-2013 08:04 PM
The question is, do you simply want to just reject devices that are in a static host list?
You just: Create a static host list full of mac addresses.
Once done, you can use a rule that reads " Connection:Client Mac Address BELONGS_TO_GROUP <static-host-list> --> send back an enforcement profile that has a reject.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base