Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎01-10-2014

ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

Currently we have use the static host list in CPPM and created different groups which are then called by the roles for the enforcement policy.  But, to avoid having to manage each MAC individually, we would like to create lists again separated out by device type or role the device is to be in, and want to continue to use MAC auth along with a fingerprint to ascertain what the device is and which rule to land that device in.  But, maintaining a running list of every full MAC for us would not be a manageable or sustainable method. I have parsed out through the MAC UOI's in use and have come into roughly 60 different OUI's.  Since we cannot use wildcards in the list function, we thought possibly to try to use the Regular Expression and build the list by group - but I am not a programmer so I am looking for some guidance as to how to build a list of MAC OUI's using the Static Host List, Regular Expression format.  The information about using as an example 00-00-00-* does not work. I also attempted to insert   |0c103e|001234|abcde1| and this too did not work.  Any assistance or guidance would be greatly appreciated.

 

Thank you

Tom R

MVP
Posts: 4,002
Registered: ‎07-20-2011

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

[ Edited ]

You should be able to add it :

00ad46*

2014-09-19 15_55_34-ClearPass Policy Manager - Aruba Networks.png

 

2014-09-19 15_56_58-ClearPass Policy Manager - Aruba Networks.png

 

2014-09-19 15_57_39-L2 Authentication.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 9
Registered: ‎01-10-2014

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

I have tried that also and it did not work.  So what would a list of MAC OUI's look like as a regular expression?  How would that be written so that it could easily be managed without having to know how to write code?

 

Thank you

MVP
Posts: 4,002
Registered: ‎07-20-2011

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

It should work it depends on what format is request coming 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 9
Registered: ‎01-10-2014

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

We have tried both lowercase colon dilimited as well as uppercase with hyphens as well as all uppercase and all lowercase.  Because we are trying to build a list of them though or multiple MAC OUI's maybe the format I attempted is wrong.  So if using the MAC OUI with the wildcard should work - then how would a list of MAC OUI's be built - or multiple MAC OUI's wild-carded in the same static host list?

 

Thank you

Tom R

MVP
Posts: 4,002
Registered: ‎07-20-2011

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

I haven't try multiple you add another one and assign the same role
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,002
Registered: ‎07-20-2011

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

If I try adding multiple expression then authentication failed, I separated each using a comma

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

[ Edited ]

Why not setup role mappings based on the OUIs rather than a static host list?    Then use this role for your enforcement policy.   I think that would be easier than trying to determine a regular expression that works for 60+ OUIs.

 

cppm-mac-role.png

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 9
Registered: ‎01-10-2014

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

The rationale behind grouping MAC OUI's into 6 different static host lists reduces the roles from 60 down to 6 thus simplifying the configuration or management.  I will try your method again and continue my testing - but would prefer since Regular expressions does allow wildcards to go that route if at all possible.

 

Thank you

Tom R

Guru Elite
Posts: 7,821
Registered: ‎09-08-2010

Re: ClearPass Policy Manager ver 6.2 through 6.4 Regular Expressions in Static Host List

Just out of curiousity, do you know that ClearPass uses MAC prefixes as part of the profile process and you can actually use the "MAC Vendor" option in a role map?

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: