Security

Reply
MVP
Posts: 2,958
Registered: ‎10-25-2011

Clearpass Mac chaching for specific devices

Hello 

We have got a seft register with clearpass guest

It has a mac caching for every device of 1 day

 

It is possible to do a mac caching that does not expire for 5 different devices and for the rest to keep the 1 day of mac caching??

If you can how you can do it? 

For now i just got the 1 day mac caching created with the template.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Clearpass Mac chaching for specific devices

Couple of ways to do it.

 

You can change the role of the guest user to [Contractor] and then in the enforcement change the [Contractor] caching to x days.

 

For individual devices you could give the Endpoint a specific attribute, then in your Role Mapping, map the attribute to the [Contractor] role.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Clearpass Mac chaching for specific devices

I think the first way you mention its the easiest to do it.

 

Thanks i ll try that

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Clearpass Mac chaching for specific devices

Question

How can you put that the time of the mac cahing does not end?

You can put less than one day or less than 2 days etc... but with which parameter you can put it so it has no end?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Clearpass Mac chaching for specific devices

All you need to do is the following:

- is use the static host list with the mac addresses of the devices you would like to bypass the 1-2 days mac caching

- Once the device register , add the post enforcement profile to update the status known on the Mac caching enforcement policy

- Then on the Mac authentication policy use the following logic:

If the device belongs to the Static Host List and Is known then allow access and put this on the top of your rule list.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Clearpass Mac chaching for specific devices

Hello

Thanks for all your feedbacks

what i need is something really simple that the client can do itselft, so he can add new devices himself to this "rule" that bypass the mac caching

 

As far i see michael clark solution seems the easiest... as you just need to change him the role to that user.

To make it forever would this rule works fine?

does 0 value means for unlimited days? i mean forever? does anyone knows???

 

(Tips:Role EQUALS [Contractor])
AND (Authorization:Guest_TR MAC-Guest-Check:UserName EXISTS  )
AND (Authorization:[Insight Repository]:Days-Since-Auth LESS_THAN 0)

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Clearpass Mac chaching for specific devices

Carlos,

Normally to allow devices to bypass the portal I do the following.

Let the device connect, then add attribute to the Endpoint.

Endpoint attribute.PNG

Add a role mapping for this attribute.

Endpoint Role.PNG

Then in the enforcement, something like this.

Endpoint enforcement.PNG

Once you've added the attribute to the Endpoint, just reconnect it.

 

This method is good for putting things like AppleTVs or digital signage onto the guest  network.

 

There are other ways as Victor mentioned which may be neater.

 

Hope that helps


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Clearpass Mac chaching for specific devices

[ Edited ]

Thanks Michael

That worked pretty good  and the client just need to add the entry on the attribute for each device under the endpoint repository

 

Seems pretty simple to me

I configured it and its working on my lab.

 

Thanks also for the screenshots, those helped me to configure it really fast!

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: