Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass mac auth - matching static host list?

This thread has been viewed 24 times

  • 1.  clearpass mac auth - matching static host list?

    MVP
    Posted Jun 18, 2014 07:47 AM

    Trying to configure 802.1x authentication with mac-auth for non-supplicant.

    I've created different static-host-lists for different device types (SHL phones, another SHL for infrastructure devices, another SHL .. etc).

     

    Now  I want to return different enforcement policies depending on which static host list the mac belongs too.

    My problem here is that I seem to only be able to differentiate only on the authentication source but not the static-host-lists used within those sources.

     

    Has anybody got an idea how to handle this? Am I forced to create tons of different authentication sources to do this or is there a way to use the SHL directly?



  • 2.  RE: clearpass mac auth - matching static host list?

    EMPLOYEE
    Posted Jun 18, 2014 08:00 AM

    koenv,

     

    Try this:

    belongs.png

     

    And then write an enforcement policy that if you see role outcome1, return enforcement profile 1.  If you see role outcome2, return enforcement profile 2....  You can also combine roles with other things you might be checking in the same enforcement policy.

     

    Does that work?



  • 3.  RE: clearpass mac auth - matching static host list?

    MVP
    Posted Jun 18, 2014 08:17 AM

    Unfortunately it doesn't..

    tried first with the regex SHL I used, then again with an actual mac list SHL but both do not get the role I tried assigning using your method.

     

    EDIT:  the devil is in the details.. called-station-id is NOT the same as calling-station-id!



  • 4.  RE: clearpass mac auth - matching static host list?

    EMPLOYEE
    Posted Jun 18, 2014 08:20 AM

    Let me make sure I am understanding you.  The radius-ietf calling-station-id along with belongs to group does not tag with the specified role?  I'm just talking about that basic use case.  I know you mentioned regex and I'm not sure where that comes in...



  • 5.  RE: clearpass mac auth - matching static host list?

    MVP
    Posted Jun 18, 2014 08:43 AM

    Trying to do wired mac auth.

    Using a source "wired mac auth"with in that source a static host list (SHL).

    One of the SHL is a regex that matches any mac oui 00:08:5d (the mac oui for the phones)

    Another SHL will be a regex for Wyse terminals matching 00:80:64

    Another SHL....

     

    Now I would like to just use the SHL itself to say put this device in the voip or wyse vlan rather than creating a seperate source with 1 SHL in it for each category.

     

    So your idea "(Radius:IETF:Called-Station-Id  BELONGS_TO_GROUP  Astra Voip Phones (no delimiter)) -> set role wired-vlan-(voip)" does not result in that authentication getting that role.

     

    -------------------

    in short:

     

    authentication source: wired mac

    uses SHL Astra Voip Phones (no delimiter)  

     

    Static host list: Astra Voip Phones (no delimiter)

    uses regex 00085d(?:[A-Fa-f0-9]{2}){2}(?:[A-Fa-f0-9]{2})  to match mac addresses

     

    I can get it working by creating a different authentication source with a unique SHL in each.  I would have liked to be able to use 1 auth source with multiplbe SHL in it and then verify what SHL matched the mac address to assign a role and enforce a vlan.



  • 6.  RE: clearpass mac auth - matching static host list?

    EMPLOYEE
    Posted Jun 18, 2014 08:51 AM

    Koenv,

     

    Please post your configuration so we can understand it fully.  Please also post the access tracker entry with computed attributes.

     

     



  • 7.  RE: clearpass mac auth - matching static host list?

    MVP
    Posted Jun 18, 2014 09:03 AM

    unique auth source - single SHL.png

     

    SHL used.png

     

    role mapping.png

     

    access tracker.png

     

     



  • 8.  RE: clearpass mac auth - matching static host list?
    Best Answer

    EMPLOYEE
    Posted Jun 18, 2014 09:08 AM

    Koenv,

     

    You are using a Regex, but why wouldn't you use radius-ietf calling station ID begins with 00085d, instead?



  • 9.  RE: clearpass mac auth - matching static host list?

    MVP
    Posted Jun 18, 2014 09:20 AM

    euhmm.. too logical?

     

    Grmbl.. I was using called-station-id.. your first solution might very well have worked too. 



  • 10.  RE: clearpass mac auth - matching static host list?

    EMPLOYEE
    Posted Jun 18, 2014 09:26 AM

    Koenv,

     

    No, it is just harder to troubleshoot a regex.

     



  • 11.  RE: clearpass mac auth - matching static host list?

    MVP
    Posted Jun 18, 2014 09:31 AM

    the devil is in the details.. called-station-id is NOT the same as calling-station-id!

    Your first suggestion does work.

     

    But indeed, calling-station-id begins with seems the easiest solution. I'll use that.

     



  • 12.  RE: clearpass mac auth - matching static host list?

    EMPLOYEE
    Posted Jun 18, 2014 08:59 AM
    @KoenV wrote:

    Trying to do wired mac auth.

    Using a source "wired mac auth"with in that source a static host list (SHL).

    One of the SHL is a regex that matches any mac oui 00:08:5d (the mac oui for the phones)

    Another SHL will be a regex for Wyse terminals matching 00:80:64

    Another SHL....

     

    Now I would like to just use the SHL itself to say put this device in the voip or wyse vlan rather than creating a seperate source with 1 SHL in it for each category.

     

    So your idea "(Radius:IETF:Called-Station-Id  BELONGS_TO_GROUP  Astra Voip Phones (no delimiter)) -> set role wired-vlan-(voip)" does not result in that authentication getting that role.

     

    -------------------

    in short:

     

    authentication source: wired mac

    uses SHL Astra Voip Phones (no delimiter)  

     

    Static host list: Astra Voip Phones (no delimiter)

    uses regex 00085d(?:[A-Fa-f0-9]{2}){2}(?:[A-Fa-f0-9]{2})  to match mac addresses

     

    I can get it working by creating a different authentication source with a unique SHL in each.  I would have liked to be able to use 1 auth source with multiplbe SHL in it and then verify what SHL matched the mac address to assign a role and enforce a vlan.

    Koenv,

     

    If you have a static host list with no delimeter, you need to use an attribute with no delimeter, as well:  You cannot use radius-ietf

    delim.png