I have a question about authenticating some devices. We have some devices on the network which fall under the category 'security'. It is hard to profile them and then send back the correct role to get these devices in the correct VLAN. So what we want to do is create a new local SQL database in Clearpass where we can store the MAC addresses from these devices. Is this possible? And is it possible to use this database as an authentication source in the service to check, if a device that is trying to connect to the network, if the MAC-address is listed in this database?
Hi JeffreyNo, you can't create a new custom database in ClearPass, in that case you must host the database on an external database server and configure this server as a source for ClearPass to look in to validate the MAC address. But this is maybe a bit of over working the solution.Instead you can utilize the already present device database, Guest Device Repository.With this database you can assign a device a specific role and only grant the devices in the database access according to the assigned roles.Even though the database is named Guest Device Repository and the administration is done under the /guest part of ClearPass it's not limited to only guest devices.Also, if you configure Guest Operator Profiles you can delegate permissions to handle different types of devices based on AD groupd or other authorization information.One group can be assigned permissions to add and delete security cameras another group to handle card readers for the doors etc.If you have a need to deligate administration to local or regional staff this solution is good, as they can only handle the devices within their responsibility.
Thanks for your response Jonas,I am looking in the guest section of Clearpass right now and am I seeing this page.We actually have two groups of devices that need to be checked; 'security' and 'utility'. Is it possible to add those two role-names to the list at 'account-role' that can be seen in the screenshot above? And is it then possible to check for this specific role in the rolemapping / enforcement in the service to send back the correct profile?
Hi All,Alternatively why dont we use Static Host List and list all the MACs there ?SHL is also 'database' resides in local, to use it just configure it as one of the Authentication Source and configure the policy based on that. You can create multiple SHL so that u can group it inside different different Authc Source Profile.Hope my explanation clear. :)
Thanks for your response Matchabear,This is a better solution for my question. But how do I add a static host list as an authentication source to my service?
Hi Jeffrey and Jonas,
Pls see the attached to configure Static Host List to be a member of Authc Source profile.
Using ClearPass Guest is also feasible I would say and can give more flexibility to the MAC address itself because we can add custom attribute to the MAC address as well. Meaning to say, if we put Authorization Source as Guest Device Repo, we then can call the custom attributes and use it as a condition to create a more flexible rule.
You can refer to the document I attach here to use the custom attribute in Guest Device Repo. See Page 8-9. In there there is Authorization:Endpoint Repo:fingerprint blabla , this u can change to Authorization:Guest Device Repo:[custom_attribute] , assign the condition to a Role and then use it for Enforcement Policy rule creation.
Whenever I have questions such as this, the SE on our Aruba account team is an invaluable resource.
HiYes, it's possibleFollow the steps below:- Create the two new roles, security and utility, under Configuration\Identity\Roles- Update the role mapping policy [Guest Roles]. This role mapping policy have a special use as the roles added here are the roles populating the account role drop down.
Create rules like the one in the screenshot:The number can be any number and this number will be written as the Role ID value in the Guest Device Repository for the device when added.- Create a role mapping policy for the MAC authentication service, or edit if you already have one
The first rule has an additional condition to validate that the account is marked as active and does not have an expired date. This is optional but good to evaluate. This way it's possible to allow devices for a specific time.- In the enforcement policy of the MAC authentication service utilize the roles assigned in the role mapping policy to assign the correct enforcement profiles.If only the ClearPass administrator should be able to add the devices and assign the roles, you can stop here. If the permissions should be delegated to other persons continue with the rest of the tasks.Switch to the Guest part of ClearPass- Navigate to Administration\Operator Logins\Profiles- Create a new profile and give it a name, in this example I have named it Security Admins, when saved this name will also be created as a role in the Policy Manager part of ClearPass. This will be utilized for the login a the operator.Scroll down a bit in the role and select the roles this profile should be able to handle. In the picture below I have only selected security, if you need to handle the two device types within separate teams.The dropdown will control if the profile can see all devices of the specific type or just the ones created by this specific user or this profile. Several profiles with same premission but with the operator filter set to "Only show accounts created with this profile" can be a use case for delegation to local staff in different locations etc.Copy the profile name before saving.It's also in the profile you have the option to assign customized forms for device registrations etc. This is a more advanced option but it's possible to customize the device registration form and hide some of the fields, or add new fields as needed.Go back to the Policy Manager part of ClearPass.Navigate to Configuration\Enforcement\Profiles Copy the profile [Operator Login - Admin Users]Rename the profile to a meaningful name. ie. Operator Login Security AdminsChange the attribute value to the name of the operator profile. The name is case sensitive, hence the advice to copy and just paste it hereLast steps are related to the login of the operator on the /guest pages.- Copy the Service [Guest Operator Logins]- Rename the new service to a meaningful name- Create a new enforcement policy or copy the default policy- Edit the enforcement policy and add rules as needed for the admin profiles created. If the role should be assigned by an AD group also add a role mapping policy for the role assignment.As mentioned in another answer it's possible to also utilize Static Host Lists. The usage of Static Host Lists are generally not recommended as they are only left in ClearPass for backward compatibility. You can't assign permissions to the different lists nor to specific MAC addresses. The management doesn't scale well and the MAC addresses are not sorted in the lists.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.