Got it that you use 802.1X and not MAC; point is that linking authorization to a client MAC address does not work reliably anymore, not for 802.1X where you use SHL or Endpoint Database for authorization either. The suggested method allows the use of the Endpoint Database to store attributes, but use certificate information instead of the client MAC address.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 18, 2024 01:34 AM
From: HB
Subject: aruba quick connect static mac configuration
Hi Herman, the auth method is 802.1X, not mac.
But you have get what I need... I will try this way.
Thank you.
------------------------------
carabina5
Original Message:
Sent: Jul 16, 2024 04:17 AM
From: Herman Robers
Subject: aruba quick connect static mac configuration
I'm not aware of a method to disable randomized MAC addresses with QuickConnect, and I'm not a big fan of authorizing based on the client MAC address.
One option that I once setup is that you can store the certificate serial number in the endpoint database, then query the endpoint database based on the certificate serial number and in my case fetch the role and vlan from the endpoint.
And this is how I query the endpoint database (using appexternal) by certificate serial number:
And this is the enforcement to store the certificate (do something like if Authorization:EndpointDB-vlan-role-by-certificate:role DOES NOT EXIST => Store-certificate-DN):
Hope this provides some idea to solve this...
Another option may be to have two different Onboarding CAs, and two onboarding flows, where you then can check on the certificate issuer to return different role/vlan to the two different groups of devices.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 15, 2024 12:02 PM
From: HB
Subject: aruba quick connect static mac configuration
You are misunderstenting,
the feature used is OnBoarding, auth with certificate.
The use of SHL is only for differntiate two categories of tablet (unfortunatelly same model and same user, different behaviour).
The tablet are join a blocked vlan, with only a service enabled.
The point isn't the security, I don't want to discuss with che customer, he don't have mdm and don't wont to buy one.
He just want use onboarding to process tablet auth, and this is done.
The problem is to assign 2 different vlan, I'm using SHL to enforce the vlan, not for auth, I know I can use other features, but this is the rapid way for me to configure it.
So, the problem is to set static mac in the ssid managed by "quick access". I can change settings in all other SSID, but not this one.
Thanks
------------------------------
carabina5
Original Message:
Sent: Jul 15, 2024 11:32 AM
From: ahollifield
Subject: aruba quick connect static mac configuration
Static host lists are a legacy feature and should no longer be used. If there is no MDM how is the customer ensuring these tablets are up to date, not rooted, secure, etc? What is the use-case for allowing these unmanaged tablets onto the protected corporate network.
Original Message:
Sent: Jul 15, 2024 11:23 AM
From: HB
Subject: aruba quick connect static mac configuration
Hi,
Static host list (list of mac addresses in Clearpass).
The customer doesn't have an MDM, there are about 20 tablets...
Thanks
------------------------------
carabina5
Original Message:
Sent: Jul 15, 2024 10:58 AM
From: ahollifield
Subject: aruba quick connect static mac configuration
What is SHL? What is the use-case for OnBoard? Is there an MDM? Can you integrate ClearPass with that instead?
Original Message:
Sent: Jul 15, 2024 10:44 AM
From: HB
Subject: aruba quick connect static mac configuration
Hi,
I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.
I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.
It is working, but devices are configured to use dynamic mac addresses.
I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.
Does anyone know how to set static mac address with quick connect?
Thanks
------------------------------
carabina5
------------------------------