Security

Reply
Occasional Contributor II

Clearpass Guest does not prevent any existing mac-address in the import list from been imported

Within Clearpass Guest devices can be added for mac-address authentication.

If adding manually, an error message 'duplicate address' is displayed and device is not added.

 

If importing devices, any existing mac-address and associated data (eg Sponsor) is overwritten with the imported data.

I cannot find a way in which to import only new mac-address's only.

Guru Elite

Re: Clearpass Guest does not prevent any existing mac-address in the import list from been imported

The ClearPass API and import functions are destructive and delete and then
re-add existing entries with the new data.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Guest does not prevent any existing mac-address in the import list from been imported

Thanks for the quick response.

 

The data for mac-address's will be coming from several sources and I am hoping to keep any manually added ones from been overwritten with parameters from the other sources that will be part of the import.  Yep, I know I can do the import and it will be destructive but if this cannot be done, I will need to look into scripting something to export existing data from Guest, do a compare to exclude duplicates and then import only the new ones; all a bit messy and not intuitive for likely users of Clearpass Guest.

Guru Elite

Re: Clearpass Guest does not prevent any existing mac-address in the import list from been imported

There is an open feature request for merge functionality on imports. I
don't have the link right now but you can find it on the idea portal.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass Guest does not prevent any existing mac-address in the import list from been imported

Thanks for you help.

Your input has confirmed that there isn't anything I had missed; at least until a new version of software provides this functionality in the future.

Occasional Contributor II

Re: Clearpass Guest does not prevent any existing mac-address in the import list from been imported

Finally resolved this issue.

Root cause is the imported data had an invalid IP address, where one of the fields had a leading zero.

Instead of 10.100.20.9, the entry had 10.100.20.09

If this line was removed from the import data, all other imports were successful.

When the invalid IP was attempted to be imported, Clearpass fails to authenticate all VC's.  There is nothing in the Access Tracker.

Resolution is to delete the device that was imported wrong and reboot CPPM.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: