H
It's correct, when you are using the Allow All MAC Auth method you actually don't need an authentication source. But the Service configuration require an authentication source. The BELONGS_TO_GROUP condition is refering to Network Device Groups, so you can't use this condition for Static Host Lists. So if you would like to use the Static Host List function you must have it as a authentication source. I never utilize Static Hosts lists as this is a legacy function of ClearPass.
In most cases the Endpoint Repository would be the best authentication source as this database contains other attributes from profiling etc that you can benefit from in the role mapping and enforcement policies. To add specific MAC addresses to ClearPass to assign roles the Guest Device Repository is really good. With this you can also delegate the rights to add specific device types to different persons. For example administrators of audio and video equipment can add this type of devices and assign the correct roles, and the printer admins can add printers.
It's also possible in a large organization to divide the responsibility geographically.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Mar 01, 2024 11:57 PM
From: arubamike
Subject: Static Host List usage
Hi,
I have a question regarding using Static Host Lists. If the service has the Authentication Method as "Allow All MAC Auth", is there a need to add the static host list to an authentication source? Could you not just add a rule in the role mapping that checks if Connection:Client-Mac-Address BELONGS_TO_GROUP <static host list>?
Trying to understand why/where creating an Authentication Source is needed? My assumption would be it would only be needed if the service is only checking for specific auth sources (but I could be wrong)