Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Dot1x + Known MAC authentication

This thread has been viewed 23 times
  • 1.  Dot1x + Known MAC authentication

    Posted Dec 07, 2022 11:02 AM
    Hi,

    I have installed a Clearpass cluster and what to make a service that checks if a username in the AD is a member of "Printers group" + its MAC address has to be "known" in order to authenticate it.

    Here is my enforcement for that service (rule #2):

    The "PRINTERuser" is a role in a role mapping attached to this service.
    I have checked - and it worked fine only with the PRINTERuser - which means the problem can't be there.

    Here is the role mapping attached as well:

    Do I miss something?
    Any ideas ?



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------


  • 2.  RE: Dot1x + Known MAC authentication

    MVP EXPERT
    Posted Dec 07, 2022 02:19 PM
    Hi Alon,

    Maybe you can give some more information. Check the access-tracker authorization attributes if it contains memberof "IT".

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: Dot1x + Known MAC authentication

    Posted Dec 08, 2022 06:04 AM
    Hi,
    Thank you for replying.
    My problem is not with the ITuser.
    is with the PRINTERuser.
    From the perspective of member of "Printers group" - I have no problem,
    But when I am adding the Endpoint status = known - I am having a problem and it does not match rule# 2 (here in the picture above).
    Maybe I have related to the wrong parameter in here:



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 4.  RE: Dot1x + Known MAC authentication

    Posted Dec 08, 2022 06:37 AM
    Hi Alon

    I think you need to change to check for status Known instead of known, as it's case sensitive. Another option is to change the condition to EQUALS_IGNORE_CASE

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------