definitely worth a look.
Original Message:
Sent: Aug 01, 2024 11:29 AM
From: Ben_C
Subject: known endpoints
Hi Peter,
I would strongly suggest you use the guest device repository and then you will be able to create custom forms to allow or disallow devices. It is a lot more user friendly and reliable. I would auto register the devices in the repository and add an allow feature / blacklist feature.
Thanks,
Original Message:
Sent: Aug 01, 2024 11:24 AM
From: peter.elms
Subject: known endpoints
thanks Carson,
the customer has a PSK SSID and MAC-AUTH (allow ALL MAC-AUTH method) , this is because of limitations on clients (can't do 802.1x).
I suggested doing STATIC host list but they like the idea of seeing the endpoint and allowing them on by clicking known from a default status of unknown.
I said not ideal but yes it should work providing known endpoint cleanup interval is set to 0 and we have a policy to disallow "unknown" endpoints and allow "known".
cheers
Pete
Original Message:
Sent: Aug 01, 2024 11:07 AM
From: chulcher
Subject: known endpoints
Would not recommend using Known for policy.
Known vs Unknown has two main purposes:
- Filtering for endpoint cleanup
- A MAC auth service (not Allow All MAC Auth) - Known is allowed, Unknown is denied
You should be using some other process/information/tag/etc. for authorization. If you are needing to authorize specific MAC address, use the Device Repository and assign a role or custom fields.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Aug 01, 2024 10:43 AM
From: peter.elms
Subject: known endpoints
thanks to all answers coming back,
because i'm making some policy decisions based on known endpoints i wanted to make sure the defult state is unknown regardless of authentication and that the only way the endpoint known\unknown status can change is by methods i've outlined.
cheers again
Peter
Original Message:
Sent: Aug 01, 2024 10:17 AM
From: Ben_C
Subject: known endpoints
You can just post the below JSON to the endpoint "/endpoint" for API:
{
"mac_address": "00:00:00:00:00:00", - Example MAC
"status": "Known"
}
Thanks,
Original Message:
Sent: Aug 01, 2024 10:09 AM
From: chulcher
Subject: known endpoints
Those are the two usual methods, yes. Can probably also use API but I've never looked for that.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Aug 01, 2024 04:18 AM
From: peter.elms
Subject: known endpoints
hi Airheads,
basic question coming up !!
in the endpoints repository on Clearpass, the act of making an endpoint known can only be triggered:-
- by enforcement policy ?
- By manually going into the specific endpoint and changing from unknown (default) to known ?
thanks
Peter