Security

Hi, 

I have a question regarding using Static Host Lists.  If the service has the Authentication Method as "Allow All MAC Auth", is there a need to add the static host list to an authentication source?  Could you not just add a rule in the role mapping that checks if Connection:Client-Mac-Address  BELONGS_TO_GROUP <static host list>?

Trying to understand why/where creating an Authentication Source is needed?   My assumption would be it would only be needed if the service is only checking for specific auth sources (but I could be wrong)

H

It's correct, when you are using the Allow All MAC Auth method you actually don't need an authentication source. But the Service configuration require an authentication source. The BELONGS_TO_GROUP condition is refering to Network Device Groups, so you can't use this condition for Static Host Lists. So if you would like to use the Static Host List function you must have it as a authentication source. I never utilize Static Hosts lists as this is a legacy function of ClearPass.

In most cases the Endpoint Repository would be the best authentication source as this database contains other attributes from profiling etc that you can benefit from in the role mapping and enforcement policies. To add specific MAC addresses to ClearPass to assign roles the Guest Device Repository is really good. With this you can also delegate the rights to add specific device types to different persons. For example administrators of audio and video equipment can add this type of devices and assign the correct roles, and the printer admins can add printers.

It's also possible in a large organization to divide the responsibility geographically.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Mar 01, 2024 11:57 PM
From: arubamike
Subject: Static Host List usage

Hi, 

I have a question regarding using Static Host Lists.  If the service has the Authentication Method as "Allow All MAC Auth", is there a need to add the static host list to an authentication source?  Could you not just add a rule in the role mapping that checks if Connection:Client-Mac-Address  BELONGS_TO_GROUP <static host list>?

Trying to understand why/where creating an Authentication Source is needed?   My assumption would be it would only be needed if the service is only checking for specific auth sources (but I could be wrong)

Hi Jonas,

Thank you for the response.  I'll have to look into the Guest Device Repository.  I have not dived into Guest at all yet. 

In role mapping, if you select Connection:Client-Mac-Address, the "BELONGS_TO_GROUP" does let you pick the static host list from the drop down and that can be used to assign roles.  I have tested this successfully.

I don't believe I was fully clear in my question.  In the scenario I was mentioning, if you use the Endpoint Repository one of the authentication sources, I don't think creating an authentication source that contains the static host list is needed/has a benefit? It seems it would be redundant 

Original Message:
Sent: Mar 02, 2024 07:25 AM
From: jonas.hammarback
Subject: Static Host List usage

H

It's correct, when you are using the Allow All MAC Auth method you actually don't need an authentication source. But the Service configuration require an authentication source. The BELONGS_TO_GROUP condition is refering to Network Device Groups, so you can't use this condition for Static Host Lists. So if you would like to use the Static Host List function you must have it as a authentication source. I never utilize Static Hosts lists as this is a legacy function of ClearPass.

In most cases the Endpoint Repository would be the best authentication source as this database contains other attributes from profiling etc that you can benefit from in the role mapping and enforcement policies. To add specific MAC addresses to ClearPass to assign roles the Guest Device Repository is really good. With this you can also delegate the rights to add specific device types to different persons. For example administrators of audio and video equipment can add this type of devices and assign the correct roles, and the printer admins can add printers.

It's also possible in a large organization to divide the responsibility geographically.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 01, 2024 11:57 PM
From: arubamike
Subject: Static Host List usage

Hi, 

I have a question regarding using Static Host Lists.  If the service has the Authentication Method as "Allow All MAC Auth", is there a need to add the static host list to an authentication source?  Could you not just add a rule in the role mapping that checks if Connection:Client-Mac-Address  BELONGS_TO_GROUP <static host list>?

Trying to understand why/where creating an Authentication Source is needed?   My assumption would be it would only be needed if the service is only checking for specific auth sources (but I could be wrong)