View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Status in Endpoint

This thread has been viewed 28 times
  • 1.  Status in Endpoint

    Posted May 07, 2023 05:04 PM

    I'm sure that I'm just missing something here.  I would like to add the status condition from my endpoints to my enforcement policy for MAC auth.  Is this possible?

    For instance I would like to manually move the endpoint status to Known and have this be part of my enforcement.


  • 2.  RE: Status in Endpoint

    Posted May 08, 2023 01:28 AM

    If i understand you, you want to change the status of an endpoint by the enforcement policy?
    If yes, do it by creating post-auth profile and in the rules, add: 

    Status-Update : Endpoint : Known

    and then add to your enforcement policy.

  • 3.  RE: Status in Endpoint
    Best Answer

    Posted May 16, 2023 10:20 AM

    This did not work.  There is a condition you can use in role mapping or enforcement (where I chose) to match the known/unknown condition of the endpoint.

    Authentication:MacAuth equals KnownClient (or UnknownClient)

    I did find this in documentation.  It was kind of obscure but a little configuration and testing confirmed my configuration.

  • 4.  RE: Status in Endpoint

    Posted May 08, 2023 06:27 AM

    Easiest way is to add enforcement profile [Update Endpoint Known] to your enforcement policy.

    Best, Gorazd

    Gorazd Kikelj
    MVP Expert 2023

  • 5.  RE: Status in Endpoint

    Posted May 09, 2023 11:46 AM

    You may already be aware but just in case you are not,  you can use mac-auth instead of allow-all-mac-auth auth-source to automatically reject any devices that are not marked "known"

  • 6.  RE: Status in Endpoint

    Posted May 09, 2023 11:51 AM

    Just to add to this thread with regard to mac authentication.  You can utilize the auth method [MAC-AUTHENTICATION] vs the [ALLOW ALL MAC AUTHENTICATION] to reject any auths that are not from devices that are marked "KNOWN".  Alternatively you can use [ALLOW ALL MAC AUTHENTICATION] along with profiling data to select the appropriate enforcements.