Security

Reply
Contributor II

separating MAC Databases

Guys, I have setup Clearpass for wirless networks. I have captured hundreds of MAC addresses from random devices connecting to the SSIDs. Most of which I will never delegate network access too.

Now I want to apply MAC auth to the wired network. Im guessing the best way to do this is to setup IP helper addresses on the switch to point to Clearpass, however, I don’t want all those wired MAC addresses to live amongst the wireless MAC addresses. All the wired address will be granted access to the network and if they are mixed in with the hundreds of non-approved MAC it would seem to be unmanageable. Can I setup a different MAC database for the wired MAC? Is there a better way for me to do this?

Guru Elite

Re: separating MAC Databases

No. It's a single database. You can however create custom attributes in the database and then write policies that check for those attributes.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: separating MAC Databases

would that require setting a custom attribute on each MAC manually?

 

 

Guru Elite

Re: separating MAC Databases

If you want to manually approve devices, yes. Keep in mind that it’s only storing the MAC address. So a wireless adapter MAC would never present to the wired network anyway.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: separating MAC Databases

Dont really want to manually approve devices if there is a better way to do this. The wired side has printers, IP cameras etc. Not quite sure how this will play out but MAC auth seems like a good choice. Im open to suggestions? 

 

Guru Elite

Re: separating MAC Databases

Didn’t you say you wanted to authorize devices? How else would you do it without a list of devices allowed on?


*
You can use the device profile (printer, computer, media player, etc) to let devices on, but that means any device that profiles that way would be let on.
*
You can use MACTrac registration
*
You could use 802.1X authentication for modern devices and use MAC-authentication (via MACTrac) for “dumb” devices like printers.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: separating MAC Databases

Ok sounds good. I will look into this MACtrac thingamajig

 

thxs

Frequent Contributor I

Re: separating MAC Databases

I have a case where I group MAC using host list with a descriptive name so I can keep some sore of sanity.
Guru Elite

Re: separating MAC Databases

The only problem with SHLs is that they don't scale well and are not as extensible as the endpoints repository. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: