Security

Reply
MVP

clearpass mac auth - matching static host list?

Trying to configure 802.1x authentication with mac-auth for non-supplicant.

I've created different static-host-lists for different device types (SHL phones, another SHL for infrastructure devices, another SHL .. etc).

 

Now  I want to return different enforcement policies depending on which static host list the mac belongs too.

My problem here is that I seem to only be able to differentiate only on the authentication source but not the static-host-lists used within those sources.

 

Has anybody got an idea how to handle this? Am I forced to create tons of different authentication sources to do this or is there a way to use the SHL directly?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: clearpass mac auth - matching static host list?

koenv,

 

Try this:

belongs.png

 

And then write an enforcement policy that if you see role outcome1, return enforcement profile 1.  If you see role outcome2, return enforcement profile 2....  You can also combine roles with other things you might be checking in the same enforcement policy.

 

Does that work?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: clearpass mac auth - matching static host list?

Unfortunately it doesn't..

tried first with the regex SHL I used, then again with an actual mac list SHL but both do not get the role I tried assigning using your method.

 

EDIT:  the devil is in the details.. called-station-id is NOT the same as calling-station-id!

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: clearpass mac auth - matching static host list?

Let me make sure I am understanding you.  The radius-ietf calling-station-id along with belongs to group does not tag with the specified role?  I'm just talking about that basic use case.  I know you mentioned regex and I'm not sure where that comes in...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: clearpass mac auth - matching static host list?

Trying to do wired mac auth.

Using a source "wired mac auth"with in that source a static host list (SHL).

One of the SHL is a regex that matches any mac oui 00:08:5d (the mac oui for the phones)

Another SHL will be a regex for Wyse terminals matching 00:80:64

Another SHL....

 

Now I would like to just use the SHL itself to say put this device in the voip or wyse vlan rather than creating a seperate source with 1 SHL in it for each category.

 

So your idea "(Radius:IETF:Called-Station-Id  BELONGS_TO_GROUP  Astra Voip Phones (no delimiter)) -> set role wired-vlan-(voip)" does not result in that authentication getting that role.

 

-------------------

in short:

 

authentication source: wired mac

uses SHL Astra Voip Phones (no delimiter)  

 

Static host list: Astra Voip Phones (no delimiter)

uses regex 00085d(?:[A-Fa-f0-9]{2}){2}(?:[A-Fa-f0-9]{2})  to match mac addresses

 

I can get it working by creating a different authentication source with a unique SHL in each.  I would have liked to be able to use 1 auth source with multiplbe SHL in it and then verify what SHL matched the mac address to assign a role and enforce a vlan.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: clearpass mac auth - matching static host list?

Koenv,

 

Please post your configuration so we can understand it fully.  Please also post the access tracker entry with computed attributes.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: clearpass mac auth - matching static host list?


koenv wrote:

Trying to do wired mac auth.

Using a source "wired mac auth"with in that source a static host list (SHL).

One of the SHL is a regex that matches any mac oui 00:08:5d (the mac oui for the phones)

Another SHL will be a regex for Wyse terminals matching 00:80:64

Another SHL....

 

Now I would like to just use the SHL itself to say put this device in the voip or wyse vlan rather than creating a seperate source with 1 SHL in it for each category.

 

So your idea "(Radius:IETF:Called-Station-Id  BELONGS_TO_GROUP  Astra Voip Phones (no delimiter)) -> set role wired-vlan-(voip)" does not result in that authentication getting that role.

 

-------------------

in short:

 

authentication source: wired mac

uses SHL Astra Voip Phones (no delimiter)  

 

Static host list: Astra Voip Phones (no delimiter)

uses regex 00085d(?:[A-Fa-f0-9]{2}){2}(?:[A-Fa-f0-9]{2})  to match mac addresses

 

I can get it working by creating a different authentication source with a unique SHL in each.  I would have liked to be able to use 1 auth source with multiplbe SHL in it and then verify what SHL matched the mac address to assign a role and enforce a vlan.


Koenv,

 

If you have a static host list with no delimeter, you need to use an attribute with no delimeter, as well:  You cannot use radius-ietf

delim.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: clearpass mac auth - matching static host list?

unique auth source - single SHL.png

 

SHL used.png

 

role mapping.png

 

access tracker.png

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: clearpass mac auth - matching static host list?

Koenv,

 

You are using a Regex, but why wouldn't you use radius-ietf calling station ID begins with 00085d, instead?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: clearpass mac auth - matching static host list?

euhmm.. too logical?

 

Grmbl.. I was using called-station-id.. your first solution might very well have worked too. 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: