10-31-2017 11:37 PM
I am trying to create a service which authenticates AD as an authentication source for MAC Auth and 802.1x.
How to create a policy and enforce ment profile to allow clearpass check the calling station ID of the AD user name as an attribute for validating the MAC ID of that particular user before allowing access.
Solved! Go to Solution.
11-01-2017 01:13 AM
I assume you have the mac-address entered into a field in the AD account. This field you have to extract during authentication, and use for authorization.
It's a tad tricky, but definately doable if you have some insight to your AD and SQL. Should be roughly something like this:
Navigate to Authentication Source, create a copy of your AD auth source. This new one is the one you will use in your service so as not to ruin anything in production. (or create a copy you can revert to if you mess up the production one ;)
Edit the new Auth Source. Click on the Authentication Filter. If you already know the name of the mac-add field, enter it similar to the other fields in here under "Configuration" (Alias and the field-name as string). If you're not sure of the name of the field, click the tab Attributes and you should be able to find this here.
->> Click Save after completion.
Ok - now you have a few ways to do this, but the most direct way is to edit your enforcement policy. In the rule that matches your user/machine authentication add in a line like this:
Name=MAC-ALIAS (as you entered in the auth-source)
Now - you need to make sure they are input exactly the same. If you store the mac-address in AD differently than what your NAS sends, then you want to use a different value to check against. If you NAS sends UPPERCASE with hyphen - then you do this:
Check a 1x authentication record in your Access Tracker under Computed Attributes to find the different variations to use. One of this SHOULD match what you input in the AD-field ;)
Good luck and shout out if you need any further assistance!
-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
11-01-2017 03:20 AM
Hi John Solberg,
I found out the a way to work this out something similar the same way you have advised.
Just created a new attribute in AD (msNPCallingStationID)
On the enforcement policy have created
Name=msNPCallingStationID(Attribute value created in AD)
It worked out like a charm, thank you for the quick response.