Security

Reply

SHL Reference in Role Mapping

I have (2) static host lists setup for whitelisting devices on the wired network for MAC authentication. These are non-domain joined PCs that need to get to the production network, while other non-domain PCs (personal) should get denied access. Added the MAC addresses to each SHL with AB-CD-EF-AB-CD-EF format, which is what is sent in the "connection:client-mac-address" field and "radius-ietf:calling-station-id" field in the request. I've tried referencing both in my role mapping policy stating "Belongs_to_Group" and the SHL. Unfortunately, it is not acknowledging it. I'm using evaluate-all in my role mapping and it is recognizing it as a computer (based on category), but not as a whitelisted computer. Authentication is Allow All MAC Auth, since we are trying to also profile unknown devices, and devices that may not be present in the endpoints database.

 

Am I missing something or is this just not supported? We're running 6.6.5.

 

Thanks


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: SHL Reference in Role Mapping

Why aren't you using Device Registration? SHLs are not recommended.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: SHL Reference in Role Mapping

Actually that is a good idea, didn't think of that originally.

 

On a side note, the reference of "Connection:Client-Mac-Address" and "Radius-IETF:Calling-Station-Id" both work. Come to find out later, the MAC address in the SHL was not the one that was being tested, that's why it wasn't matching. Basically we tested a personal device, and not a whitelisted one.

 

Thanks for the insight, I think I might setup something like MAC Trac for this, might make it easier.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: