Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Not able to deny a MAC address in ClearPass

This thread has been viewed 13 times

  • 1.  Not able to deny a MAC address in ClearPass

    Posted Jun 01, 2018 05:44 PM

    Hi gurus,

     

    My customer has a policy in his AD which locks an account when a client reaches 10 authentication attempts. One user has changed his password, but it seems one device has saved permanently the old password and this device is constantly to authenticate the user, so the account gets locked. In order to solve the problem I want to deny this device by its MAC address according to Colin's answer of this thread:

     

    http://community.arubanetworks.com/t5/Security/Blacklisting-clients-based-on-MAC-address/td-p/86182

     

    This is the situation in Access Tracker:

    access_tracker.pngI have added a rule (the first one) which deny MAC address 047970C12A01 in the service. I have added that MAC address in a Static Host List. These are the role and enforcement tabs in the service:

    roles.png
    enforcement.png

    But after doing this changes, I can see the device keeps trying to authenticate in Access Tracker as always, and ClearPass lets the device to authenticate.

    What can happen? Is anything misconfigured?

     

    Regards,

    Julián



  • 2.  RE: Not able to deny a MAC address in ClearPass

    Posted Jun 01, 2018 11:12 PM
    Have you tried this option :

    https://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/424

    In your case you will have to increase it to match your use case


    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: Not able to deny a MAC address in ClearPass

    Posted Jun 03, 2018 09:18 PM
    If you want to continue using the MAC address as a mechanism to deny access access you need to Make sure that you include the SHL rule at the top of your enforcement policies



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 4.  RE: Not able to deny a MAC address in ClearPass

    Posted Jun 05, 2018 10:10 AM

    Hi Victor,

     

    Thanks for that link, I will try that solution!

     

    Regardless to this:

     

    If you want to continue using the MAC address as a mechanism to deny access access you need to Make sure that you include the SHL rule at the top of your enforcement policies

     

    Do you mean my service for denying this MAC address is not correctly configured?

     

    Regards,

    Julián



  • 5.  RE: Not able to deny a MAC address in ClearPass

    Posted Jun 05, 2018 10:23 AM

    Try adding the rule at the top of your enforcement policy (no role mapping) 

    2018-06-05 10_21_03-Window.png



  • 6.  RE: Not able to deny a MAC address in ClearPass

    Posted Jun 05, 2018 10:34 AM

    Ok, thanks a lot!

     

    Regards,

    Julián



  • 7.  RE: Not able to deny a MAC address in ClearPass

    EMPLOYEE
    Posted Jun 13, 2018 04:14 AM

    Not sure if you got somewhere on this exercise. I would expect that for your purpose you will need to filter out your 'blacklisted devices' into a different service in order to prevent the authentication being sent to the AD and trigger lockouts.

     

    Can't check right now how you can create a service rule that matches if the client MAC is in a static host list, but if you can do that match you can do authentication to guest or local DB to prevent the authentication to go to your AD backend.