09-08-2016 03:06 AM
My customer would like to secure the wired port to which he is connecting an Aruba outdoor AP. If you enabled MAC-auth on the host switch and also configured the default gateway to forward DHCP requests to ClearPass, how would the AP appear to the fingerprinting function in CPPM? Would it be a unique enough device type to lock down that switch port not just to the MAC but to Aruba APs only?
Solved! Go to Solution.
09-08-2016 03:13 AM
09-08-2016 03:20 AM
Thanks Colin - that would present another hurdle, for users looking to simply plug in to the AP's switch port... Could we write a CP rule that requires the device on that port to have the matching device name, too..?
09-08-2016 03:30 AM
You would have to compare it against a static mac address list of allowed APs. Just checking for an Aruba AP would allow ANY Aruba AP to connect.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
09-08-2016 03:36 AM
Sure; MAC-auth is my planned 'first barrier':
1) MAC auth against the installed APs MAC
2) Permit only device name Aruba networks-AP-224 (or whatever the AP type happened to be)
Thanks for your help, as always... :)