the key is to add an attribute to the endpoint db and then either manually or using a workflow assign a value to the new attribute.
And finally during the authorisation check to the existence of that attribute and allow/deny access.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------
Original Message:
Sent: Jun 12, 2024 08:47 PM
From: ninjacloud
Subject: ClearPass Mac Auth for Wireless SSID on Aruba IAPs
If using the Guest Device Database or Endpoint Database as the MAC authentication source. Then how would you specify that only certain devices can join the Wireless SSID?
Original Message:
Sent: Jun 12, 2024 10:45 AM
From: DB86
Subject: ClearPass Mac Auth for Wireless SSID on Aruba IAPs
You can use a number of sources for MAC Authentication. You could register the devices via the web portal in Guest known as "Device Registration", and then use the Guest Device Database as your Authentication/Authorization source. The endpoint database can also be used if you want to grab fingerprinted data like OS type or vendor if the device gets profiled. You can also use a static host list to authenticate against.
------------------------------
Dustin Burns
Lead Mobility Engineer @Worldcom Exchange, Inc.
ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
Original Message:
Sent: Jun 12, 2024 03:10 AM
From: ninjacloud
Subject: ClearPass Mac Auth for Wireless SSID on Aruba IAPs
A new customer has ClearPass and Aruba IAPs managed by Aruba Central.
They have a requirement for a new Wireless SSID that only permits certain devices to join if their mac address is on a whitelist of sorts.
I have created a new Wireless SSID in Aruba Central with the following
+ Mac Authentication enabled
+ Called Station ID Type: MAC Address
+ Pointed to the ClearPass servers
How would I go about setting up a Mac Authentication service in ClearPass? I checked the Endpoints Repository and the required devices are already registered there. I'm assuming this can be used as the authentication source, then an additional condition/rule/policy that specifies the mac addresses allowed?