Hi,
There is a network which requires static IPs for specific IoT devices. They are authenticated via MAC auth trough ClearPass.
At the same time, there is Palo Alto, which would require getting TAGs (=ClearPass roles) via Server Context Actions to have these IoT groups in the dynamic groups and assigned to security policies.
Although it sounds fine on the paper, issue is with the static address part - in order for ClearPass to trigger Context Server Action (meaning - do the Palo Alto API call) it has to receive Accounting information with Framed-IP present. In case of DHCP this IP is learned via DHCP snooping, but there is none in case of static IPs.
Has anyone done something similar and what are the options to update the firewall there while keeping the static IPs? Is it possible to call the Context Server Action without Framed-IP being present in the Accounting? These IPs may be as a part of attributes, but that will not be a part of Accounting. My current experience shows that Framed-IP is mandatory.
As an alternative, pseudo static IPs (DHCP reservation) are considered, etc., but at first it would be great to understand if there is something to be done while keeping the static addressing.