Security

Reply
Occasional Contributor I

Authorizing Multiple Mac Based Devices

Could someone please give me an example of a policy to do mac based authentication via two different devices. Right now I have 2 policies, one for Ap's and one for IP phones. No matter how I have it set everything stops at the first policy. I'm looking for individual policies for Phones, AP's, and Printers.

 

Thanks

Guru Elite

Re: Authorizing Multiple Mac Based Devices

Take a look at the MAC auth service configurations in the ClearPass Solution Guide for Wired Policy Enforcement.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Authorizing Multiple Mac Based Devices

Hi,

 

 

Thanks for the reply. I directly copied and pasted your suggestion into google and it came up with a pdf linked by you. While browsing it it appears that the example involves placing all MAB devices into one policy. Is this the only method outside from the second example of providing a captive portal? I would really like to have individual policies for printers, AP's, and IP phones, opr did I miss something in the document?

 

Thanks

Guru Elite

Re: Authorizing Multiple Mac Based Devices

You have multiple rules in a single enforcement policy, yes. This is how ClearPass works.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Authorizing Multiple Mac Based Devices

OK. So I was right in assuming that Clearpass stops at the first authentication match then evaluates the rules for a match, whereas Cisco ISE does not stop processing rules until there is an authorization match even if there are multiple matching authentication methods.

 

Its probably best for me to just allow the SE to configure this, as Clearpass does not make as much sense as ISE did when I configured it 5yrs ago.

 

 

Thanks for the time saver.

Guru Elite

Re: Authorizing Multiple Mac Based Devices

Policy is about matching explicit conditions, like a firewall rule. Matching all doesn't really make sense and leaves a lot of room for misconfiguration resulting in the wrong access granted.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: