Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - Static Host Lists and Belongs_to_group

This thread has been viewed 13 times
  • 1.  ClearPass - Static Host Lists and Belongs_to_group

    Posted Nov 22, 2023 10:31 AM
    Hey guys, how are you?
     
     
     
    I have a question as to whether the configuration is correct.
     
    My scenario is the following: I have 1 SSID and a service, but I want...
    1 - If the user has NetBIOS-Name = "example" and the MAC is in my static list, get the role "corp" and respectively "vlancorp" through my enforcement.
     
    2 - If the user has NetBIOS-Name = "example" and the MAC is NOT in my static list, get the role "mobile" and respectively "vlanmobile" through my enforcement.
     
    My question is that to mention what is on the list I can use "BELONGS_TO_GROUP", but to inform that it is not on the list, I only have "NOT_BELONGS_TO", would that also work?
     
    Below is what I configured.



  • 2.  RE: ClearPass - Static Host Lists and Belongs_to_group
    Best Answer

    MVP
    Posted Nov 27, 2023 11:39 AM

    I've never had much success with Static Host Lists, but if your Role Mapping is working properly for the "Corp" role, you wouldn't need to reference the "Not Belongs to Group" piece for the Mobile if you're policy is first match based on the image you provided. Alternatively, if those are your only two conditions, you could set "Mobile" as the default role and remove that 2nd rule all together. 



    ------------------------------
    Michael Haring
    ------------------------------



  • 3.  RE: ClearPass - Static Host Lists and Belongs_to_group

    Posted Nov 27, 2023 12:21 PM

    I agree with Michel Haring in the post above, although it is true, your rule is not badly made, it may not be the best option. If already in a rule you tell him the role that should have, in the other by default should not take so go to the next being NOT necessary to put the "NOT_BELONGS_TO", in addition to it if you do not have more rules, in the default you can leave the other and ready, as the partner comments.