Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Static Host List

This thread has been viewed 18 times

  • 1.  Clearpass Static Host List

    Posted Oct 15, 2013 02:49 PM

    I am trying to create a static host list for a set of devices that i want to automatically assign a user role.  I saw the option in the host list for a subnet which works perfectly for our needs.  When i go to create an authentication source the host list does not show up as an option.  If i change the host list to a MAC address list then it shows up.  How can i get it to show up when using the subnet option?

    software version 6.2.0.54353



  • 2.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 02:51 PM
    @mwallen wrote:

    I am trying to create a static host list for a set of devices that i want to automatically assign a user role.  I saw the option in the host list for a subnet which works perfectly for our needs.  When i go to create an authentication source the host list does not show up as an option.  If i change the host list to a MAC address list then it shows up.  How can i get it to show up when using the subnet option?

    software version 6.2.0.54353

    Just to understand you, you want to make an authentication contingent on the subnet of the client?  802.1x clients do not have an ip address before they authenticate.  Please describe your scenario.

     



  • 3.  RE: Clearpass Static Host List

    Posted Oct 15, 2013 04:20 PM

    This would not be 1x authentication, but  connect on the guest network, which is open with a captive portal.  For some devices that dont support 1x we have them on the guest network and i use a host list so i can map them to a user role on the regular network.  This is what the guys said to do when we implemented the system.

     

    In this case we have a subnet/vlan for wireless TVs/ digital signage.  They will be given static IP's and connected to the guest network since they cannot do 1x.  When creating a static host list one of the options is to use an IP range so this seemed like the best way to handle this scenario rather then having to manually enter in each MAC address into the list.



  • 4.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:21 PM

    Try and add it as an authorization source instead and then use a role map with "BELONGS_TO_GROUP" to tag it with a TIPS role.



  • 5.  RE: Clearpass Static Host List

    Posted Oct 15, 2013 04:26 PM

    Thats what I am trying to do, but the host list does not show up for me to select it when i try to create the authentication source.  I am trying to figure out why its not showing up.



  • 6.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:27 PM

    Check the authorization box on the main summary page of the service and then add it as an additional authorization souce.



  • 7.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:28 PM

    You need to create a static host list then go in to the source and create a source that uses the static host list

     

    static host list.png



  • 8.  RE: Clearpass Static Host List

    Posted Oct 15, 2013 04:32 PM

    I have created the static host list, but it is does not show up on the screen you are showing.  It does not get listed in the dropdown unless i change it to a MAC address list.  If its an IP list it is not available for me to pick and add. 



  • 9.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:36 PM

    Sorry about that. I missed that you were using a IP based list. You are not able to use a IP based list as a Auth source. per the help section on the server.

     

    Adding and Modifying Static Host Lists

    A static host list comprises a named list of MAC or IP addresses, which can be invoked the following ways:

     In Service and Role-mapping rules as a component.
     For non-responsive services on the network (for example, printers or scanners), as an Authentication Source.

     

    Only static host lists of type MAC address are available as authentication sources. A static host list often functions, in the context of the Service, as a white list or a black list. Therefore, they are configured independently at the global level.

    Figure 1  Static Host Lists (Listing Page)



  • 10.  RE: Clearpass Static Host List

    Posted Oct 15, 2013 04:37 PM

    ok, then the question becomes why does it even let me create an IP based list if i cant use it?



  • 11.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:40 PM
    @mwallen wrote:

    ok, then the question becomes why does it even let me create an IP based list if i cant use it?

    You CAN use an ip based list, but not for what you want  to do with it.  Please look at my last post for an idea.

     



  • 12.  RE: Clearpass Static Host List

    Posted Oct 15, 2013 04:43 PM

    ok, well this is kind of what i thought it would end up as but was hoping there was a way.  Thanks for all your reply's, you guys are  quick!



  • 13.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:47 PM
    @mwallen wrote:

    ok, well this is kind of what i thought it would end up as but was hoping there was a way.  Thanks for all your reply's, you guys are  quick!

    There is one other way.  Please check a couple posts up in this thread where I suggest an alternative using a user derivation rule with the MAC OUI of the wireless Sign...



  • 14.  RE: Clearpass Static Host List

    EMPLOYEE
    Posted Oct 15, 2013 04:37 PM
    @mwallen wrote:

    This would not be 1x authentication, but  connect on the guest network, which is open with a captive portal.  For some devices that dont support 1x we have them on the guest network and i use a host list so i can map them to a user role on the regular network.  This is what the guys said to do when we implemented the system.

     

    In this case we have a subnet/vlan for wireless TVs/ digital signage.  They will be given static IP's and connected to the guest network since they cannot do 1x.  When creating a static host list one of the options is to use an IP range so this seemed like the best way to handle this scenario rather then having to manually enter in each MAC address into the list.

    So,

     

    Let's walk through this:

     

    You have devices you want to connect with static ip addresses to a guest network.

    You want to authenticate them based on their ip address.

     

    - There is no way to do this, because on an Open network, the only two ways you can authenticate devices (send information to a server for authentication) is with a Captive Portal, Or Mac authentication.  "Dumb" devices cannot do captive portal so you are only left with mac authentication.  You cannot authenticate devices based on their specific ip address.  There is a parameter called IETF-Framed-IP-Address, but it is not passed during MAC authentication.

     

    I personally think you are stuck with MAC authentication  (a list of mac addresses).

     

    OR-- if the devices you are placing on the network have the same prefix, you can use a user derivation rule on the controller to detect the MAC OUI of those devices and place them in an elevated role on the guest network.  Here is an article of how you would do that:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/PSK-MAC-Address-based-VLAN-Steering/ta-p/85212  The suggestion in the thread mentions a PSK network, but you can do it with an Open/Captive portal network just by adding a user derivation rule to the AAA profile.  It would look for the OUI of the sign and then change the role of it, so that you can pass traffic back and forth to that sign, regardless of the ip address.