Security

 View Only
  • 1.  Clearpass static host list not used

    Posted Mar 03, 2022 10:13 AM
    Hi
    I'm a newbie on clearpass and want to make a Mac address control for a camera on alctale switch.
    I created an SHL list with the Mac address of the camera and a service with MAC-Auth and for the source my SHL.
    On the authentication method if i dont check "Allow Unknown End-Hosts", there's a REJECT and it's seems that no service is used ...
    If I check this box, it works but it seems that the SHL is not controlled (i try to change the MAC address in the SHL, put the Endpoint as "Unknown client")
    and the method is used...


    What could be wrong as the service use my method and the shl as source !?

    Thks for your comments.

    ------------------------------
    stephane henrot
    ------------------------------


  • 2.  RE: Clearpass static host list not used

    Posted Mar 03, 2022 07:53 PM
    for your AMP-MAC service, do you have MAC-auth selected for auth? also have you added the SHL as your authentication source?


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Clearpass static host list not used

    Posted Mar 04, 2022 03:16 AM
    Hi,
    Yes as you can see below : the AMP_[MAC AUTH] is just a copy of [MAC AUTH]




    ------------------------------
    stephane henrot
    ------------------------------



  • 4.  RE: Clearpass static host list not used

    Posted Mar 04, 2022 05:39 PM
    ok now you need to reference the SHL.  One way is in role mapping, first create a role say IOT
    then create a role-mapping and select "connection" as the condition, it will allow you to select one/more static host lists.

    Connection::Client-Mac-Address::BELONGS_TO_GROUP::<SHL(s)> ::IOT



    then you can use this user role (IOT) in your enforcement policy.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: Clearpass static host list not used

    Posted Mar 07, 2022 03:20 AM
    Hi,
    Now it works thank you for your help.
    I made antother test to use the endpoint_repository with the option known/unknown and it works too.
    This way is more easier as I just have to check the known option for my camera address.

    One more time thank you, have a good day

    Brdsg

    ------------------------------
    stephane henrot
    ------------------------------