Security

Reply

Not able to deny a MAC address in ClearPass

Hi gurus,

 

My customer has a policy in his AD which locks an account when a client reaches 10 authentication attempts. One user has changed his password, but it seems one device has saved permanently the old password and this device is constantly to authenticate the user, so the account gets locked. In order to solve the problem I want to deny this device by its MAC address according to Colin's answer of this thread:

 

http://community.arubanetworks.com/t5/Security/Blacklisting-clients-based-on-MAC-address/td-p/86182

 

This is the situation in Access Tracker:

access_tracker.pngI have added a rule (the first one) which deny MAC address 047970C12A01 in the service. I have added that MAC address in a Static Host List. These are the role and enforcement tabs in the service:

roles.png
enforcement.png

But after doing this changes, I can see the device keeps trying to authenticate in Access Tracker as always, and ClearPass lets the device to authenticate.

What can happen? Is anything misconfigured?

 

Regards,

Julián

Highlighted

Re: Not able to deny a MAC address in ClearPass

Have you tried this option :

https://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/424

In your case you will have to increase it to match your use case


Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Not able to deny a MAC address in ClearPass

If you want to continue using the MAC address as a mechanism to deny access access you need to Make sure that you include the SHL rule at the top of your enforcement policies



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Not able to deny a MAC address in ClearPass

Hi Victor,

 

Thanks for that link, I will try that solution!

 

Regardless to this:

 

If you want to continue using the MAC address as a mechanism to deny access access you need to Make sure that you include the SHL rule at the top of your enforcement policies

 

Do you mean my service for denying this MAC address is not correctly configured?

 

Regards,

Julián

Re: Not able to deny a MAC address in ClearPass

Try adding the rule at the top of your enforcement policy (no role mapping) 

2018-06-05 10_21_03-Window.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Not able to deny a MAC address in ClearPass

Ok, thanks a lot!

 

Regards,

Julián

Re: Not able to deny a MAC address in ClearPass

Not sure if you got somewhere on this exercise. I would expect that for your purpose you will need to filter out your 'blacklisted devices' into a different service in order to prevent the authentication being sent to the AD and trigger lockouts.

 

Can't check right now how you can create a service rule that matches if the client MAC is in a static host list, but if you can do that match you can do authentication to guest or local DB to prevent the authentication to go to your AD backend.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: