Security

Reply
Contributor II
Posts: 75
Registered: ‎05-06-2014

How would an Aruba AP appear to the fingerprint function of ClearPass (wired MAC-auth)?

My customer would like to secure the wired port to which he is connecting an Aruba outdoor AP.  If you enabled MAC-auth on the host switch and also configured the default gateway to forward DHCP requests to ClearPass, how would the AP appear to the fingerprinting function in CPPM?  Would it be a unique enough device type to lock down that switch port not just to the MAC but to Aruba APs only?

Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: How would an Aruba AP appear to the fingerprint function of ClearPass (wired MAC-auth)?

It would look like this:

Screenshot 2016-09-08 at 05.12.59.png

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: How would an Aruba AP appear to the fingerprint function of ClearPass (wired MAC-auth)?

Thanks Colin - that would present another hurdle, for users looking to simply plug in to the AP's switch port...   Could we write a CP rule that requires the device on that port to have the matching device name, too..?

Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: How would an Aruba AP appear to the fingerprint function of ClearPass (wired MAC-auth)?

You would have to compare it against a static mac address list of allowed APs.  Just checking for an Aruba AP would allow ANY Aruba AP to connect.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: How would an Aruba AP appear to the fingerprint function of ClearPass (wired MAC-auth)?

Sure; MAC-auth is my planned 'first barrier':

 

1)  MAC auth against the installed APs MAC

2) Permit only device name Aruba networks-AP-224 (or whatever the AP type happened to be)

Thanks for your help, as always...   :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: