Super Contributor II

Mac-Auth service for all our Aruba APs

I'm trying to set up a clearpas mac-auth service for all our Aruba APs. Theory is that I build up a list of appropriate mac address prefixes and use them to generate the appropriate enforcement policy to drop them into the right vlan.


What I've done is


1). Create a number of regex static host lists eg.

Name "Aruba AP225"

Host format Regular Expressions

Host Type mac address

RegEx - ^18-64-72-2[0-9A-F]-2[0-9A-F]-2[0-9A-F]$


so in theory all mac addresses starting with 18-64-72 are defined as being AP225s


2). Create an authenticaiton source

Name  Aruba AP list

Type Static Host List

Mac address host list - ArubaAP 225,ArubaAP 275,ArubaAP 125......


3 Create service


Name UoY Aruba AP authentication

Service Rule

All of following

radius:ietf nas-port-type = Ethernet

radius:ietf Service-Type = Call-Check

Authentication Source Belongs_to "Aruba AP List"


An auth from an AP 225 mac address doesn't pick up this service, it drops down into the generic mac-auth service defined later on. If I remove the Auth:source... service rule and replace it with one saying  radous:ietf User-Name Starts-With ...... then the service is picked up just fine.


Don't really want to have to specify all the mac prefixs in order to select this service, what am I doing wrong?




Guru Elite

Re: Mac-Auth service for all our Aruba APs

I use a role map instead of a static host list as I find it to be more reliable.



Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Super Contributor I

Re: Mac-Auth service for all our Aruba APs


I haven't played at all with CPPM regexps but in ROTW regexp syntax, 2[0-9A-F] means "match the number 2 follow by a hexdigit".  Only some

regexp syntaxes like PCRE support numeric quantifiers like [0-9A-F]{2}, and just writing [0-9A-F][0-9A-F] would be more self-explanatory.  Also,

check for case folding issues.



Search Airheads
Showing results for 
Search instead for 
Did you mean: