I've never had much success with Static Host Lists, but if your Role Mapping is working properly for the "Corp" role, you wouldn't need to reference the "Not Belongs to Group" piece for the Mobile if you're policy is first match based on the image you provided. Alternatively, if those are your only two conditions, you could set "Mobile" as the default role and remove that 2nd rule all together.
------------------------------
Michael Haring
------------------------------
Original Message:
Sent: Nov 22, 2023 10:31 AM
From: Miguel de Paula
Subject: ClearPass - Static Host Lists and Belongs_to_group
Hey guys, how are you?
I have a question as to whether the configuration is correct.
My scenario is the following: I have 1 SSID and a service, but I want...
1 - If the user has NetBIOS-Name = "example" and the MAC is in my static list, get the role "corp" and respectively "vlancorp" through my enforcement.
2 - If the user has NetBIOS-Name = "example" and the MAC is NOT in my static list, get the role "mobile" and respectively "vlanmobile" through my enforcement.
My question is that to mention what is on the list I can use "BELONGS_TO_GROUP", but to inform that it is not on the list, I only have "NOT_BELONGS_TO", would that also work?
Below is what I configured.
