01-15-2015 04:57 PM
Is there any documentation/tutorials that walks you through how to do MAC authentication on non 802.1x devices that have static IP addresses? I am looking to build a MAC Auth service that will profile various devices (PLCs, cameras, routers, video decoders) and put them onto the private network, and force non 802.1x computers (Guest visitors/vendros) to an internet only VLAN.
Is there any docs that show how to build such a service? I understand there are various to profile a device (NMAP, SNMP, NESUS, MAC OUI), but how do you use these methods in a service?
Thanks for your help ahead of time.
Solved! Go to Solution.
01-15-2015 07:21 PM
Thanks Tim. It does help, but I am not sure what the enforcement profile (ROLE_PROFILE) look like. If not too much trouble, can you show how that profile is built? I am looking to see how the device is profiled and can be classified as a certain type of device. There must something else that needs configured to determine the device type. I would assume if you used SNMP or NMAP that there is configurations that can read into a response to determine the device type.
Am I even in the ballpark on this works?
Thanks again for taking the time to show me the screenshots above.
01-15-2015 07:26 PM
Same idea with nmap. You can give the device an audit state based on rules you set. So you could give temporary Internet only access until a device was audited or profile and then change the devices role.
There will be some additional profiling options in the upcoming 6.5 release so stay tuned for that.
01-16-2015 08:21 AM - edited 01-16-2015 08:23 AM
With MAC AUTH is there a way to give different device types different network access. For example:
If I have an Security camera using MAC auth, can I allow it to connect to the internal network VLAN A, and then have guest user's PC using MAC AUTH and configure them to use VLAN B.
If so, how do you get the device profiled to know if it is a security camera versus a guest PC?
01-16-2015 08:33 AM
Once the device is profiled, you map the device category/family/device name (derived from the profile) to an enforcement profile. The enforcement profile(s) are what get sent down to the switch/controller.
This is what's shown in the second to last screenshot above.
01-16-2015 09:09 AM - edited 01-16-2015 09:11 AM
Thanks Tim. That is my problem the endpoint is not getting profiled. It is a static IP address device. It will never send a DHCP request. I have the helper-address pointing to ClearPass and that works well for PCs and other devices doing DHCP.
How do you get a static IP address device profiled?
01-16-2015 09:12 AM
Take a look here
01-16-2015 09:19 AM - edited 01-16-2015 09:20 AM
Tim, I have seen this doc, but doesn't help my situation with something like a PLC (Programmable Logic Controller). But the PLC does support SNMP. Isn't there a way to have CPPM query the endpoint via SNMP (public) to get back info to profile it. I am looking for seomthing like this. Is that possible or am I barking up the wrong tree?
I am trying to determine if there are automated ways to profile static IP address devices immediately when they connect, or am I going to have to maintain some sort of Static Host Table.
Doesn't the subnet scan happen at pre-defined time intervals?