Security

Reply

SHL Reference in Role Mapping

I have (2) static host lists setup for whitelisting devices on the wired network for MAC authentication. These are non-domain joined PCs that need to get to the production network, while other non-domain PCs (personal) should get denied access. Added the MAC addresses to each SHL with AB-CD-EF-AB-CD-EF format, which is what is sent in the "connection:client-mac-address" field and "radius-ietf:calling-station-id" field in the request. I've tried referencing both in my role mapping policy stating "Belongs_to_Group" and the SHL. Unfortunately, it is not acknowledging it. I'm using evaluate-all in my role mapping and it is recognizing it as a computer (based on category), but not as a whitelisted computer. Authentication is Allow All MAC Auth, since we are trying to also profile unknown devices, and devices that may not be present in the endpoints database.

 

Am I missing something or is this just not supported? We're running 6.6.5.

 

Thanks



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Guru Elite

Re: SHL Reference in Role Mapping

Why aren't you using Device Registration? SHLs are not recommended.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: SHL Reference in Role Mapping

Actually that is a good idea, didn't think of that originally.

 

On a side note, the reference of "Connection:Client-Mac-Address" and "Radius-IETF:Calling-Station-Id" both work. Come to find out later, the MAC address in the SHL was not the one that was being tested, that's why it wasn't matching. Basically we tested a personal device, and not a whitelisted one.

 

Thanks for the insight, I think I might setup something like MAC Trac for this, might make it easier.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: