Security

Could someone please give me an example of a policy to do mac based authentication via two different devices. Right now I have 2 policies, one for Ap's and one for IP phones. No matter how I have it set everything stops at the first policy. I'm looking for individual policies for Phones, AP's, and Printers.

 

Thanks

Take a look at the MAC auth service configurations in the ClearPass Solution Guide for Wired Policy Enforcement.

Hi,

 

 

Thanks for the reply. I directly copied and pasted your suggestion into google and it came up with a pdf linked by you. While browsing it it appears that the example involves placing all MAB devices into one policy. Is this the only method outside from the second example of providing a captive portal? I would really like to have individual policies for printers, AP's, and IP phones, opr did I miss something in the document?

 

Thanks

You have multiple rules in a single enforcement policy, yes. This is how ClearPass works.

OK. So I was right in assuming that Clearpass stops at the first authentication match then evaluates the rules for a match, whereas Cisco ISE does not stop processing rules until there is an authorization match even if there are multiple matching authentication methods.

 

Its probably best for me to just allow the SE to configure this, as Clearpass does not make as much sense as ISE did when I configured it 5yrs ago.

 

 

Thanks for the time saver.

Policy is about matching explicit conditions, like a firewall rule. Matching all doesn't really make sense and leaves a lot of room for misconfiguration resulting in the wrong access granted.