02-11-2015 07:44 PM
not. Complete profile information cannot be derived from just the MAC OUI
and the profile information. The category, OS and device name can only be
populated from automagic fingerprinting (DHCP fingerprints, subnet scans,
Onboard, ActiveSync, etc) or by manually updating the attributes in the
database. You cannot currently update these values using a post-auth update.
You could however, create a custom attribute that you could update using a
Post-Auth endpoint update after successful authentication.
02-11-2015 07:55 PM
That is good to know that the MAC OUI alone cannot populate the profile info. I have a bunch of static IP device PLCs (Programmable Logic Controller) by a common vendor that need to be profiled immediately when the device connects to the network. I can't wait for an SNMP Poling cycle (6 hr) for CPPM to profile the device. After profiling the device and assigning it Role of PLC, I want to use MAC AUTH Service to assign appropriate network access (like, VLAN, dACL, etc...). How could this be accomplished?
Thanks for your help.
02-11-2015 08:01 PM - edited 02-11-2015 08:03 PM
- Create a ClearPass TIPS role: DEVICE_PLC
(Configuration > Identity > Roles > Add)
- In your MAC-auth service, add the following rule to the role map:
- Then add a rule to your enforcement policy like belowreplacing the enforcement profile(s) with the appropriate action.