I have been using Guest Device Repo quite extensively, now have 10K "whitelisted" devices. We have customised the SQL query thanks for the TAC case we opened so that I can use all the customs columns/fields as Authz attributes. I am open for discussion and you can reach me in my DM haha...🤣
1) you cannot have multiple MAC address registered, whereas in SHL it is very likely you created same MAC address over and over again within different groups. Very bad for Day-2 operations guys if they need to do cleanup
2) In Guest you can set expiry date for a MAC. A MAC in Guest Device repo is treated as an account, so it can has expiry date, and we can prolong the expiry date whenever the MAC successfully authenticated. This can be configured easily via an attribute in one of the Enforcement Profile post-authc type.
Original Message:
Sent: 12/22/2023 6:40:00 AM
From: johnstonj@rowan.edu
Subject: RE: CPPM Static Host Lists and Role Mapping Policy
And that brings up another related question. One of the easier things to do in a SHL is to find devices that are in a certain list. In the Guest Device repository, you cannot sort or filter on role. Is there any easy way (other than exporting the entire DB to .csv) to find all devices with role xxxx?
Original Message:
Sent: Dec 21, 2023 04:47 PM
From: jonas.hammarback
Subject: CPPM Static Host Lists and Role Mapping Policy
Hi
I have never heard or read anything about an upper limit of number of guest roles. But there may exist a limit. I tested in a lab server and created 70 roles and I was able to add them to a Guest Operator profile.
I also tried in the lab to create several Static host lists to see if it's possible to use them as authorization sources. But I got stuck as it looks like it's not possible.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Dec 21, 2023 03:27 PM
From: johnstonj@rowan.edu
Subject: CPPM Static Host Lists and Role Mapping Policy
Thanks
Adding them to the Guest Repository wouldn't be hard. But keeping it maintained in CPPM vs Guest is easier for us the way we are structured. On top of that, we already have 60+ static host lists plus about a dozen Guest user roles defined. I believe there is a limit to how many user guest roles can be created, 64 I thought, which pushes us right to the limit with no wiggle room.
If it can't be done, it can't be done and we will find an alternative. I completely understand that SHLs are outdate and on the way out and I'm not a fan of them. But while it's not perfect, it's working a the moment. And as a surgeon in a world famous children's hospital on the east coast once told me - don't let perfection get in the way of good enough. Just hoping that there was a regex formula that could use a wildcard looking at SHLs. As an FYI - I spent a few years before this job as an Aruba Partner and still have a close working relationship with them. I will be running this past them also on our bi-weekly meeting, but thought I would throw it out here first in case someone else ran into something similar.
Original Message:
Sent: Dec 21, 2023 03:12 PM
From: jonas.hammarback
Subject: CPPM Static Host Lists and Role Mapping Policy
Hi
As @ahollifield
already pointed out the SHL is a legacy object in ClearPass only available for combability.
When I need to assign roles based on MAC addresses I always add the MAC addresses to the Guest Device Repository. This way I can delegate the rights to add MAC addresses and assign specific roles to users based on AD groups, if the customer would like to have this option.
Another way to add the MAC addresses are by import of CSV files. This is really convenient. When added to the Guest Device Repository you also have the option to add other attributes to the MAC address, beside the role, like name, comment, email to the owner of the device, expiration time etc.
I would say that it would be quite easy to rebuild the logic you have today based on the SHL's in the role mapping policy to a logic based on assigned roles in the Guest Device Repository.
If you have not worked with assigning roles based on MAC addresses in the Guest Device Repository I understand that it looks as a really big job to transfer the logic and data. But work with an Aruba partner, Aruba SE or maybe TAC to implement this. I think you will find the time spent valuable in the end. Of course asking questions in the forum is also an option.
Returning to your initial question regarding Belongs_To_Group, I think this operator only check different Network Device Groups.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Dec 21, 2023 02:37 PM
From: ahollifield
Subject: CPPM Static Host Lists and Role Mapping Policy
Yeah I'm not aware of an ANY supported field for Static Host Lists. You're right that regex might be possible but I've never attempted it.
I would 100% suggest moving away from this method however. Maybe EAP-TLS with certificate attributes identifying each business unit?
Original Message:
Sent: Dec 21, 2023 02:13 PM
From: johnstonj@rowan.edu
Subject: CPPM Static Host Lists and Role Mapping Policy
Thanks for the quick reply. I don't want to do multiple "belongs to group" for a couple of reasons. First we currently have 60 SHLs (yeah, I don't like it either LOL). But more importantly, we occasionally add or delete an SHL and remembering to update the Mapping Rule every time that happens is not something I want to add to my plate.
Profiling won't work (at least I don't think so). It's not about the type of machine or anything that's machine specific and being profiled. It's about who owns it. We have outside vendors that use internal services. The administrators are not willing to create user accounts or machine accounts in our AD and we need to classify them in "buckets" for access. For example - Dining gets an SHL to get to certain items. Banking gets an SHL with completely different authorizations. As I said - there are currently quite a few different categories. We talked about using the Guest DB for this, but we believe that might be more cumbersome.
Even tho I'm not a fan of this method, it works.........until now. We are switching to an F5 utility for external access bandwidth shaping. Everything in the static host lists would get the same external access bandwidth and the F5 accepts the TIPs role as an input. So if I could create a rule that says if you are in ANY SHL, you get TIPs role "StaticHost".
Original Message:
Sent: Dec 21, 2023 01:36 PM
From: ahollifield
Subject: CPPM Static Host Lists and Role Mapping Policy
Maybe I'm not following but why not just do multiple "belongs to group" rules within the role mapping?
Also it would be best practice to migrate away from using static host lists and use Profiling instead.
Original Message:
Sent: Dec 21, 2023 12:25 PM
From: johnstonj@rowan.edu
Subject: CPPM Static Host Lists and Role Mapping Policy
Hello all
I was wondering if there was a way to select multiple Static Host lists with the "Belongs_To_Group" option in a Role Mapping Policy (being able to select all groups would work). Currently we have quite a few static host lists that are used for different things (therefor a single list will not work). For a different reason, we would like to assign a TIPS role in addition to the other TIPS roles for every device that is in a static host list. Something along the lines of "Belongs To Group" "*" or any other wildcard. I haven;t been able to find a way to do it. Can it possibly be done via regex?
Thanks!
Jeff Johnston