Security

Reply
Frequent Contributor II
Posts: 166
Registered: ‎04-17-2013

CPPM endpoint "Known" mac address group by per SSID

Hi,

I have configured 3 SSID on my controller. Authentication method is user credential + mac address

CPPM service configured as below:

         (Tips:Role  EQUALS [ User Authenticated])
AND  (Authorization:[Endpoints Repository]:Status  EQUALS  Known)

All "Known" 3 SSID mac will be in Endpoint repository. But i could not segrgate them. So i could not figure out how many "Known" mac in respective SSID.

Is there any alternate way to achieve mac authentication with respective group mac entry. Or how can i achieve the same with Endpoint Repository?

Thanks...

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: CPPM endpoint "Known" mac address group by per SSID

- You can use the computed Attribute :

2014-06-20 14_32_17-Chrome Remote Desktop.png

 

- Add the SSID Attribute

2014-06-20 14_30_03-Chrome Remote Desktop.png

 

- Create a Post Auth Enforcement Profile and Apply right under the "Known" Post Auth Enforcement PRofile in the Enforcement Policy

2014-06-20 14_30_03-Chrome Remote Desktop.png

2014-06-20 14_31_57-Chrome Remote Desktop.png

 

Then you could do a search in the endpoint database for the attribute "SSID" and the status "Known"

 

2014-06-20 14_47_22-Chrome Remote Desktop.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: CPPM endpoint "Known" mac address group by per SSID

You could probably do this with another attribute in the endpoint database (other than Known Client).  The problem is how do you want to populate that entry? 

 

For example, add an attribute and assign to the Endpoint:

Administration --> Dictionaries --> Attributes

cppm-mac-allowed1.png

 

 

Then edit the endpoint with proper value

cppm-mac-allowed2.png

 

Change service to look for this attribute instead of "Known Client"

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: CPPM endpoint "Known" mac address group by per SSID

...or what Victor said  :-)

 

Victor's method gives you an automated way to update the attribute after someone joins the network.  If you need to add the attribute first in order to allow them to join, you'll need to add it manually as in my post.

 

That is the beauty of CPPM...very flexible and can do just about anything, so long as you know what you want.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II
Posts: 166
Registered: ‎04-17-2013

Re: CPPM endpoint "Known" mac address group by per SSID

By default any user want to get wireless access should deny  except allowed mac address.

I will manually add the mac address with perticular SSID group then only user will get access.

 

Regards,

Nikhil.

Frequent Contributor II
Posts: 166
Registered: ‎04-17-2013

Re: CPPM endpoint "Known" mac address group by per SSID

Hi,

 

where should i add respective ssid name in comfiguration?

Guru Elite
Posts: 8,339
Registered: ‎09-08-2010

Re: CPPM endpoint "Known" mac address group by per SSID

Create a custom attribute.

 

Administration > Dictonaries > Attributes


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 166
Registered: ‎04-17-2013

Re: CPPM endpoint "Known" mac address group by per SSID

Hi,

 

I hv created EMPL ssid & configured the suggested configuration as per my requirement.

I hv  known the mac id in Endpoint and i am able to get correct vlan as per vlan assigned to user.

But after then i again made the mac id as unknown but still user is able to connect. As per configuration user must Reject.

 

Please find attachment for more info.

 

Thanks....

Guru Elite
Posts: 8,339
Registered: ‎09-08-2010

Re: CPPM endpoint "Known" mac address group by per SSID

Add a rule at the bottom that says:

Authorization:[Endpoints Respository] Status NOT_EQUALS Known [DENY ACCESS PROFILE]

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 166
Registered: ‎04-17-2013

Re: CPPM endpoint "Known" mac address group by per SSID

[ Edited ]

Hi,

 

1) But Enforcement policy - Default role is - Deny access profile.

 

2) Shall i manually add attribute for endpoint known mac address- edit endpoint - attribute  i.e. EMPL

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: