Security

Hello everyone,

 

We have an implementation where default switch port config is secured with 802.1x. Such ports are used for end-user PC's which are capable of carrying certificate. When there is a need to connect a simple device such as a printer, we disable dot1x on the switch port and statically configure it to accept only a single MAC address.

 

I am interested in a) unifying switch port config and b) store the MAC addresses of the printers in central database rather than at individual switch port configs.

 

I have a Clearpass server available and I was already able to authenticate a device via MAC AUTH authentication method using a Static Host List as an authentication source.

 

What I am missing with the Static Host List is that each entry has only a single value which is the MAC address itself. I would be interested in the list entries to:

1. Be either manually created or approved by sponsor in case of automatic creation 

2. Expire once the end-device stays offline for certain period of time

3. Have a comment/description (this one is nice to have but not mandatory)

 

I was looking at using Endpoints Repository instead of Static Host List as authentication source, but still I am not sure whether it can satisfy the requirements.

 

Could you be so kind as to give me a piece of advice where to look in the Clearpass to make this work, please?

 

Thank you and have a nice day

Static Host Lists should not be used.

Use Device Registration. The ClearPass Solution Guide for Wired Policy Enforcement has examples of colorless ports with headless devices.

Thank you a lot Tim.

 

I've read your guide and went with the device registration as suggested. Had to do some more research and googling to find out the details but your guide has definitely pointed me towards the right direction. Thanks again.

 

BR,

Vladan