Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Clearpass Static Host List

I am trying to create a static host list for a set of devices that i want to automatically assign a user role.  I saw the option in the host list for a subnet which works perfectly for our needs.  When i go to create an authentication source the host list does not show up as an option.  If i change the host list to a MAC address list then it shows up.  How can i get it to show up when using the subnet option?

software version 6.2.0.54353

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: Clearpass Static Host List


mwallen wrote:

I am trying to create a static host list for a set of devices that i want to automatically assign a user role.  I saw the option in the host list for a subnet which works perfectly for our needs.  When i go to create an authentication source the host list does not show up as an option.  If i change the host list to a MAC address list then it shows up.  How can i get it to show up when using the subnet option?

software version 6.2.0.54353


Just to understand you, you want to make an authentication contingent on the subnet of the client?  802.1x clients do not have an ip address before they authenticate.  Please describe your scenario.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Clearpass Static Host List

This would not be 1x authentication, but  connect on the guest network, which is open with a captive portal.  For some devices that dont support 1x we have them on the guest network and i use a host list so i can map them to a user role on the regular network.  This is what the guys said to do when we implemented the system.

 

In this case we have a subnet/vlan for wireless TVs/ digital signage.  They will be given static IP's and connected to the guest network since they cannot do 1x.  When creating a static host list one of the options is to use an IP range so this seemed like the best way to handle this scenario rather then having to manually enter in each MAC address into the list.

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Clearpass Static Host List

Try and add it as an authorization source instead and then use a role map with "BELONGS_TO_GROUP" to tag it with a TIPS role.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Clearpass Static Host List

Thats what I am trying to do, but the host list does not show up for me to select it when i try to create the authentication source.  I am trying to figure out why its not showing up.

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Clearpass Static Host List

Check the authorization box on the main summary page of the service and then add it as an additional authorization souce.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass Static Host List

You need to create a static host list then go in to the source and create a source that uses the static host list

 

static host list.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Clearpass Static Host List

[ Edited ]

I have created the static host list, but it is does not show up on the screen you are showing.  It does not get listed in the dropdown unless i change it to a MAC address list.  If its an IP list it is not available for me to pick and add. 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass Static Host List

Sorry about that. I missed that you were using a IP based list. You are not able to use a IP based list as a Auth source. per the help section on the server.

 

Adding and Modifying Static Host Lists

A static host list comprises a named list of MAC or IP addresses, which can be invoked the following ways:

 In Service and Role-mapping rules as a component.
 For non-responsive services on the network (for example, printers or scanners), as an Authentication Source.

 

Only static host lists of type MAC address are available as authentication sources. A static host list often functions, in the context of the Service, as a white list or a black list. Therefore, they are configured independently at the global level.

Figure 1  Static Host Lists (Listing Page)

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 85
Registered: ‎04-05-2011

Re: Clearpass Static Host List

ok, then the question becomes why does it even let me create an IP based list if i cant use it?

Search Airheads
Showing results for 
Search instead for 
Did you mean: