Re: 2nd factor to MAC authentication with ClearPass

I use profiling right now to identify devices for MAC auth on wired authentication. You can also use the "Conflict" condition in Role Mapping, which would be one way of helping fight against spoofing as it would identify if duplicate MAC but different fingerprint. As Tim mentioned, a database would also be helpful - for example an MDM or SQL DB to query. Problem with just checking fingerprint is that a printer is a printer, but without something to check against, it would be difficult to be 100% locked down. For wireless, you can enable IF-MAP, DHCP is also a simple way of profiling. Network scans are broken in 6.6.5 so make sure CPPM is recent, then you can leverage NMAP and SNMP data through scans and SPAN port.


Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
Showing results for 
Search instead for 
Did you mean: