Security

Reply
Occasional Contributor I

Check role of MAC address

Hi

 

In a customer environment with ClearPass MAC addresses have been added to do role mappings in several ways.

- Endpoints database with a custom attribute

- OUI in the role mapping policy

- Devices with a role in ClearPass Guest

 

Everyting is working fine and devices get the correct roles based on the different taggings.

 

But would it be possible to create a page to search for a MAC address en get the resulting role sent back to the user. This way also users who doesn't need access to manage the mac addresses can do a lookup.

 

Would this work:

A web login page where the user submit a MAC address instead of a username. This is processed as a web logon with the same role mapping policy as the normal MAC authentication and the resulting role is displayed to the user, or an message that the address wasn't found.

 

If it works, how do I implement it?

 

 

Jonas Hammarbäck | Aranya AB
ACMP, ACCP

Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Guru Elite

Re: Check role of MAC address

The roles that are sent back are a combination of attributes that are in the endpoints database as well as how those devices are handled by policies in a service.  Are you saying that you want an end user to have access to that information?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Check role of MAC address

I would like to return just the role lable, like Chromebox etc.

This will provide the needed information to the users that need it, but no useful information for others.

 

Any MAC address other than the one that have been manually added in some way to ClearPass would result in a message that the MAC addess isn't found.

 

Regards

Jonas

Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Highlighted
Guru Elite

Re: Check role of MAC address

Are these users end-users or network administrators?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: Check role of MAC address

One option is to limit login users to read-only access of the endpoints database:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Create-users-with-Endpoint-Admin-privilege-in-CPPM-6-6-x/ta-p/292064


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Check role of MAC address

The users that need this information isn't real end users but administrators of video conferencing systems, audio systems etc.

 

Today they have access to the Endpoints repository and an option to add devices as a Guest Operator.

But they can't see the role mapping rules and some OUI's have been added under the role mapping policy to minimize manual work.

 

Thus the idea that a page can do a search in all these three sources of information and if found return just the role name.

 

Regards

Jonsa

Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Guru Elite

Re: Check role of MAC address

I am not aware of a tool that would expose the results of policies to non-admin users.  Maybe someone else can offer a suggestion.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Check role of MAC address

Ok, thank you for the information.

Maybe this is something that need some API requests to get.

 

Regards

Jonas

Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: