MAC OUI as a security measure will not add much security as the MAC address can be spoofed.
With the profiling enabled you will not only look at the MAC address, but instead how the MAC address requests an IP address.
This way you can distinguish an IP phone and a PC with the spoofed MAC address from the same phone.
Also in ClearPass you can add a rule to block access for a device, and if needed alert correct persons, where ClearPass has detected a profiling conflict.
But another way instead of using the Static host list is to do the regex in the role mapping policy.
Create a role for your approved IP Phones, assign this role in the role mapping policy
In the enforcement policy use this role as a condition to your other roles and conditions to grant the phones access to the network
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jan 19, 2023 03:02 AM
From: tt23
Subject: How to add multiple mac-address type Regular Expressions in Static Host List?
Thank for answer. Becuase need more security. Therefore i need to add Mac OUI on condition role mapping.
Original Message:
Sent: Jan 19, 2023 02:43 AM
From: jonas.hammarback
Subject: How to add multiple mac-address type Regular Expressions in Static Host List?
Hi
I would say that profiling of the devices will be a better solution in the most situations instead of manually manage the MAC OUI static list regex option.
With the profiling you can create a role mapping or enforcement policy based on the vendor and the device type instead.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 19, 2023 02:27 AM
From: tt23
Subject: How to add multiple mac-address type Regular Expressions in Static Host List?
Hi Dustin Burns,
Thank you for answer. I need to check IP-Phone Mac OUI. But no need to create serveral rule condition. Therefore,i need to add multi mac-address OUI to group on static host-list and check it.
Original Message:
Sent: Jan 18, 2023 11:32 AM
From: DB86
Subject: How to add multiple mac-address type Regular Expressions in Static Host List?
If your using a RegEx host type you can only use one expression. You will need to make multiple static host lists for multiple regex types. What are you trying to accomplish. Maybe the static host list is not the only option.
------------------------------
Dustin Burns
Lead Mobility Engineer @Worldcom Exchange, Inc.
ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
Original Message:
Sent: Jan 18, 2023 05:10 AM
From: tt23
Subject: How to add multiple mac-address type Regular Expressions in Static Host List?
I need to check Multi Mac-address OUI on static Host-list, But when i add mac-address more than 1 mac-address it not work. Anyone please suggestion.
