Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Static Host List usage

This thread has been viewed 14 times
  • 1.  Static Host List usage

    Posted Mar 02, 2024 02:35 AM

    Hi, 

    I have a question regarding using Static Host Lists.  If the service has the Authentication Method as "Allow All MAC Auth", is there a need to add the static host list to an authentication source?  Could you not just add a rule in the role mapping that checks if Connection:Client-Mac-Address  BELONGS_TO_GROUP <static host list>?

    Trying to understand why/where creating an Authentication Source is needed?   My assumption would be it would only be needed if the service is only checking for specific auth sources (but I could be wrong)



  • 2.  RE: Static Host List usage

    Posted Mar 02, 2024 07:26 AM

    H

    It's correct, when you are using the Allow All MAC Auth method you actually don't need an authentication source. But the Service configuration require an authentication source. The BELONGS_TO_GROUP condition is refering to Network Device Groups, so you can't use this condition for Static Host Lists. So if you would like to use the Static Host List function you must have it as a authentication source. I never utilize Static Hosts lists as this is a legacy function of ClearPass.

    In most cases the Endpoint Repository would be the best authentication source as this database contains other attributes from profiling etc that you can benefit from in the role mapping and enforcement policies. To add specific MAC addresses to ClearPass to assign roles the Guest Device Repository is really good. With this you can also delegate the rights to add specific device types to different persons. For example administrators of audio and video equipment can add this type of devices and assign the correct roles, and the printer admins can add printers.

    It's also possible in a large organization to divide the responsibility geographically.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Static Host List usage

    Posted Mar 02, 2024 11:13 AM

    Hi Jonas,

    Thank you for the response.  I'll have to look into the Guest Device Repository.  I have not dived into Guest at all yet. 

    In role mapping, if you select Connection:Client-Mac-Address, the "BELONGS_TO_GROUP" does let you pick the static host list from the drop down and that can be used to assign roles.  I have tested this successfully.

    I don't believe I was fully clear in my question.  In the scenario I was mentioning, if you use the Endpoint Repository one of the authentication sources, I don't think creating an authentication source that contains the static host list is needed/has a benefit? It seems it would be redundant