Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Check role of MAC address

This thread has been viewed 2 times

  • 1.  Check role of MAC address

    Posted Nov 22, 2018 06:00 AM

    Hi

     

    In a customer environment with ClearPass MAC addresses have been added to do role mappings in several ways.

    - Endpoints database with a custom attribute

    - OUI in the role mapping policy

    - Devices with a role in ClearPass Guest

     

    Everyting is working fine and devices get the correct roles based on the different taggings.

     

    But would it be possible to create a page to search for a MAC address en get the resulting role sent back to the user. This way also users who doesn't need access to manage the mac addresses can do a lookup.

     

    Would this work:

    A web login page where the user submit a MAC address instead of a username. This is processed as a web logon with the same role mapping policy as the normal MAC authentication and the resulting role is displayed to the user, or an message that the address wasn't found.

     

    If it works, how do I implement it?

     

     

    Jonas Hammarbäck | Aranya AB
    ACMP, ACCP



  • 2.  RE: Check role of MAC address

    EMPLOYEE
    Posted Nov 22, 2018 06:04 AM

    The roles that are sent back are a combination of attributes that are in the endpoints database as well as how those devices are handled by policies in a service.  Are you saying that you want an end user to have access to that information?



  • 3.  RE: Check role of MAC address

    Posted Nov 22, 2018 06:10 AM

    I would like to return just the role lable, like Chromebox etc.

    This will provide the needed information to the users that need it, but no useful information for others.

     

    Any MAC address other than the one that have been manually added in some way to ClearPass would result in a message that the MAC addess isn't found.

     

    Regards

    Jonas



  • 4.  RE: Check role of MAC address

    EMPLOYEE
    Posted Nov 22, 2018 06:27 AM

    Are these users end-users or network administrators?



  • 5.  RE: Check role of MAC address

    EMPLOYEE
    Posted Nov 22, 2018 06:30 AM

    One option is to limit login users to read-only access of the endpoints database:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Create-users-with-Endpoint-Admin-privilege-in-CPPM-6-6-x/ta-p/292064



  • 6.  RE: Check role of MAC address

    Posted Nov 22, 2018 06:43 AM

    The users that need this information isn't real end users but administrators of video conferencing systems, audio systems etc.

     

    Today they have access to the Endpoints repository and an option to add devices as a Guest Operator.

    But they can't see the role mapping rules and some OUI's have been added under the role mapping policy to minimize manual work.

     

    Thus the idea that a page can do a search in all these three sources of information and if found return just the role name.

     

    Regards

    Jonsa



  • 7.  RE: Check role of MAC address

    EMPLOYEE
    Posted Nov 22, 2018 06:48 AM

    I am not aware of a tool that would expose the results of policies to non-admin users.  Maybe someone else can offer a suggestion.



  • 8.  RE: Check role of MAC address

    Posted Nov 22, 2018 06:59 AM

    Ok, thank you for the information.

    Maybe this is something that need some API requests to get.

     

    Regards

    Jonas