Hi
Yes, it's possible
Follow the steps below:
- Create the two new roles, security and utility, under Configuration\Identity\Roles
- Update the role mapping policy [Guest Roles]. This role mapping policy have a special use as the roles added here are the roles populating the account role drop down.
Create rules like the one in the screenshot:
The number can be any number and this number will be written as the Role ID value in the Guest Device Repository for the device when added.
- Create a role mapping policy for the MAC authentication service, or edit if you already have one
The first rule has an additional condition to validate that the account is marked as active and does not have an expired date. This is optional but good to evaluate. This way it's possible to allow devices for a specific time.
- In the enforcement policy of the MAC authentication service utilize the roles assigned in the role mapping policy to assign the correct enforcement profiles.
If only the ClearPass administrator should be able to add the devices and assign the roles, you can stop here. If the permissions should be delegated to other persons continue with the rest of the tasks.
Switch to the Guest part of ClearPass
- Navigate to Administration\Operator Logins\Profiles
- Create a new profile and give it a name, in this example I have named it Security Admins, when saved this name will also be created as a role in the Policy Manager part of ClearPass. This will be utilized for the login a the operator.
Scroll down a bit in the role and select the roles this profile should be able to handle. In the picture below I have only selected security, if you need to handle the two device types within separate teams.
The dropdown will control if the profile can see all devices of the specific type or just the ones created by this specific user or this profile. Several profiles with same premission but with the operator filter set to "Only show accounts created with this profile" can be a use case for delegation to local staff in different locations etc.
Copy the profile name before saving.
It's also in the profile you have the option to assign customized forms for device registrations etc. This is a more advanced option but it's possible to customize the device registration form and hide some of the fields, or add new fields as needed.
Go back to the Policy Manager part of ClearPass.
Navigate to Configuration\Enforcement\Profiles
Copy the profile [Operator Login - Admin Users]
Rename the profile to a meaningful name. ie. Operator Login Security Admins
Change the attribute value to the name of the operator profile. The name is case sensitive, hence the advice to copy and just paste it here
Last steps are related to the login of the operator on the /guest pages.
- Copy the Service [Guest Operator Logins]
- Rename the new service to a meaningful name
- Create a new enforcement policy or copy the default policy
- Edit the enforcement policy and add rules as needed for the admin profiles created. If the role should be assigned by an AD group also add a role mapping policy for the role assignment.
As mentioned in another answer it's possible to also utilize Static Host Lists. The usage of Static Host Lists are generally not recommended as they are only left in ClearPass for backward compatibility. You can't assign permissions to the different lists nor to specific MAC addresses. The management doesn't scale well and the MAC addresses are not sorted in the lists.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 31, 2023 05:20 AM
From: JeffreyMik
Subject: Adding an extra local SQL database to store MAC-adresses
Thanks for your response Jonas,
I am looking in the guest section of Clearpass right now and am I seeing this page.
We actually have two groups of devices that need to be checked; 'security' and 'utility'. Is it possible to add those two role-names to the list at 'account-role' that can be seen in the screenshot above? And is it then possible to check for this specific role in the rolemapping / enforcement in the service to send back the correct profile?
Kind regards,
Jeffrey
Original Message:
Sent: May 31, 2023 05:00 AM
From: jonas.hammarback
Subject: Adding an extra local SQL database to store MAC-adresses
Hi Jeffrey
No, you can't create a new custom database in ClearPass, in that case you must host the database on an external database server and configure this server as a source for ClearPass to look in to validate the MAC address. But this is maybe a bit of over working the solution.
Instead you can utilize the already present device database, Guest Device Repository.
With this database you can assign a device a specific role and only grant the devices in the database access according to the assigned roles.
Even though the database is named Guest Device Repository and the administration is done under the /guest part of ClearPass it's not limited to only guest devices.
Also, if you configure Guest Operator Profiles you can delegate permissions to handle different types of devices based on AD groupd or other authorization information.
One group can be assigned permissions to add and delete security cameras another group to handle card readers for the doors etc.
If you have a need to deligate administration to local or regional staff this solution is good, as they can only handle the devices within their responsibility.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: May 31, 2023 04:44 AM
From: JeffreyMik
Subject: Adding an extra local SQL database to store MAC-adresses
Hello,
I have a question about authenticating some devices. We have some devices on the network which fall under the category 'security'. It is hard to profile them and then send back the correct role to get these devices in the correct VLAN. So what we want to do is create a new local SQL database in Clearpass where we can store the MAC addresses from these devices. Is this possible? And is it possible to use this database as an authentication source in the service to check, if a device that is trying to connect to the network, if the MAC-address is listed in this database?
Kind regards,
Jeffrey