Security

Reply
Occasional Contributor II

Static Host List Import format - Changed in 6.7?

I used to be able to import bulk mac addresses into a static host list in CPPM 6.6 using the following format:

<StaticHostLists>
<StaticHostList description="" name="Static Hosts" memberType="MACAddress" memberFormat="list" members="00:14:d1:f1:a9:b1, 00:20:00:98:7b:b4, 80:c6:ab:41:6c:b7"/>
</StaticHostLists>

But now, with 6.7 when I export the list it has the following format:

<StaticHostLists>
<StaticHostList description="" name="CCSD-Secure Allowed Device List" memberType="MACAddress" memberFormat="list" >
<Members>
<Member address="aa:bb:cc:dd:ee:ff"/>
<Member address="a1:b2:c3:d4:e5:f6"/>
<Member address="ab:cd:ef:12:34:56"/>
</Members>
</StaticHostList>
</StaticHostLists>

Each MAC Address has a "Member address" beforfe it.  How can I do a bulk import of MAC addresses this way?

Guru Elite

Re: Static Host List format - Changed in 6.7?

Add additional statements. This was done to accommodate the new description field. XML export formats can change at any time.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Static Host List format - Changed in 6.7?

I'm not sure what you mean by add additional statements.

Guru Elite

Re: Static Host List format - Changed in 6.7?

For each MAC address, add:

 

<Member address="aa:bb:cc:11:22:33"/>

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Static Host List format - Changed in 6.7?

Wow, that's going to be a PITA for 500 MAC address.

Guru Elite

Re: Static Host List format - Changed in 6.7?

Why are you using Static Host Lists? Device Registration is recommended.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Static Host List format - Changed in 6.7?

I've never heard of device registration.  What exactly is it and how does it differ from Static Host Lists?

Guru Elite

Re: Static Host List format - Changed in 6.7?

Static Host Lists provide no context and should not be used.

Device Registration registers the device with a role assignment, expiration and other attributes.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Static Host List format - Changed in 6.7?

We use static host lists as part of our 802.1x enforcement profiles.  So a computer has to in a static host list, and machine authenticated on our domain for it to get put in our machine autt role. 

 

How would I use device registration in this context for onboarding hundreds of new devices?

Guru Elite

Re: Static Host List format - Changed in 6.7?

Why would a MAC address to be used for this? MAC address can be easily changed and many devices use MAC randomization now.

What does this accomplish if you’re already using Machine Authentication? MAC address provides no security value.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: