Security

I've never had much success with Static Host Lists, but if your Role Mapping is working properly for the "Corp" role, you wouldn't need to reference the "Not Belongs to Group" piece for the Mobile if you're policy is first match based on the image you provided. Alternatively, if those are your only two conditions, you could set "Mobile" as the default role and remove that 2nd rule all together. 

Original Message:
Sent: Nov 22, 2023 10:31 AM
From: Miguel de Paula
Subject: ClearPass - Static Host Lists and Belongs_to_group

Hey guys, how are you?

 

 

 

I have a question as to whether the configuration is correct.

 

My scenario is the following: I have 1 SSID and a service, but I want...

1 - If the user has NetBIOS-Name = "example" and the MAC is in my static list, get the role "corp" and respectively "vlancorp" through my enforcement.

 

2 - If the user has NetBIOS-Name = "example" and the MAC is NOT in my static list, get the role "mobile" and respectively "vlanmobile" through my enforcement.

 

My question is that to mention what is on the list I can use "BELONGS_TO_GROUP", but to inform that it is not on the list, I only have "NOT_BELONGS_TO", would that also work?

 

Below is what I configured.

I agree with Michel Haring in the post above, although it is true, your rule is not badly made, it may not be the best option. If already in a rule you tell him the role that should have, in the other by default should not take so go to the next being NOT necessary to put the "NOT_BELONGS_TO", in addition to it if you do not have more rules, in the default you can leave the other and ready, as the partner comments.

Original Message:
Sent: Nov 22, 2023 10:31 AM
From: Miguel de Paula
Subject: ClearPass - Static Host Lists and Belongs_to_group

Hey guys, how are you?

 

 

 

I have a question as to whether the configuration is correct.

 

My scenario is the following: I have 1 SSID and a service, but I want...

1 - If the user has NetBIOS-Name = "example" and the MAC is in my static list, get the role "corp" and respectively "vlancorp" through my enforcement.

 

2 - If the user has NetBIOS-Name = "example" and the MAC is NOT in my static list, get the role "mobile" and respectively "vlanmobile" through my enforcement.

 

My question is that to mention what is on the list I can use "BELONGS_TO_GROUP", but to inform that it is not on the list, I only have "NOT_BELONGS_TO", would that also work?

 

Below is what I configured.