Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

This thread has been viewed 2 times

  • 1.  CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

    Posted Feb 12, 2020 12:04 AM

    We are testing CPPM for the first time using a Wired mac-auth service.  The enforcement policy is simply:

    1.  connection: client-mac-vendor = XXX --> then apply these 3 profiles

    - update endpoint known

    - allow-all

    - assign voice vlan

     

    2.  connection: client-mac-vendor != XXX 

    --> then apply these 3 profiles

    - update endpoint known

    - allow-all

    - assign data vlan

     

    We have a test phone with a PC connected to it and the phone with a wired connection to an Aruba 2930F switch.  The switch is configured to use CPPM for wired mac-auth.  The PC hits this service and gets assigned the data vlan correctly.  However, the phone hits this service, but also gets assigned the data vlan.  The access tracker Input tab does show "connection: client-mac-vendor = XXX" (exactly how the enforcement policy is setup), but for some reason skips over that policy condition and goes to the 2nd condition where the data vlan is applied.

     

    Why is this?



  • 2.  RE: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH
    Best Answer

    EMPLOYEE
    Posted Feb 12, 2020 04:14 AM

    I would use profiler to determine that it is an IP Phone, but if all phones have the same MAC prefix, that would technically work as well (just not prevent against MAC spoofing).

     

    Also, I would use the [Allow All MACAuth] service, so you don't need to mark the Endpoint as 'Known', unless you have another reason to mark the endpoint Known.

     

    In all cases so far, in such situations there was a slight difference in what is in the Access Tracker and what is tested in Enforcement or Role Mapping.

     

    One thing that I would do, is check the MAC Prefix in a role-mapping, then during Enforcement base your decision on the assigned roles. First benefit is that you can see in Access Tracker which roles are assigned, so you quickly see that it has correctly interpreted the MAC prefix. Second is that you can easily add more prefixes to the role-mapping and/or use profiling as a second option to detect your phones.

     

    Also, if you haven't yet, check the ClearPass Solution Guide: Wired Policy Enforcement for best practices for such a scenario. If you prefer content in video, check Aruba ClearPass Workshop - (Video series), which covers a similar scenario as well (just with profiling, not with MAC prefix, but the approach is similar).



  • 3.  RE: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH

    EMPLOYEE
    Posted Feb 12, 2020 06:16 AM

    Further to Herman's comment. Without the export of the AccessTracker it is very hard to guess why the policy was applied as you indicate. One thing that often trips me up is that the default role-mapping is "Match First" condition: typically I want this to be "Match All". Ironically the Enforcement Policy is "Match All" conditions: typically I want this to be "Match First" as this is more deterministic.



  • 4.  RE: CPPM CONFIG FOR WIRED PHONE USING MAC-AUTH
    Best Answer

    Posted Feb 12, 2020 11:56 PM

    Thanks and agree that role mapping is the best way.  Due to other factors, we found out another way to do it without role mapping in the short term.  

     

    It appears that CPPM changed the phone vendor we chose in the enforcement policy from ALL CAPS to lower-case; not sure why CPPM does that.  In order to fix that issue, we use the equals-ignore-case option in the policy.