Security

Currently we have use the static host list in CPPM and created different groups which are then called by the roles for the enforcement policy.  But, to avoid having to manage each MAC individually, we would like to create lists again separated out by device type or role the device is to be in, and want to continue to use MAC auth along with a fingerprint to ascertain what the device is and which rule to land that device in.  But, maintaining a running list of every full MAC for us would not be a manageable or sustainable method. I have parsed out through the MAC UOI's in use and have come into roughly 60 different OUI's.  Since we cannot use wildcards in the list function, we thought possibly to try to use the Regular Expression and build the list by group - but I am not a programmer so I am looking for some guidance as to how to build a list of MAC OUI's using the Static Host List, Regular Expression format.  The information about using as an example 00-00-00-* does not work. I also attempted to insert   |0c103e|001234|abcde1| and this too did not work.  Any assistance or guidance would be greatly appreciated.

Thank you

Tom R

You should be able to add it :

00ad46*

I have tried that also and it did not work.  So what would a list of MAC OUI's look like as a regular expression?  How would that be written so that it could easily be managed without having to know how to write code?

Thank you

It should work it depends on what format is request coming 

We have tried both lowercase colon dilimited as well as uppercase with hyphens as well as all uppercase and all lowercase.  Because we are trying to build a list of them though or multiple MAC OUI's maybe the format I attempted is wrong.  So if using the MAC OUI with the wildcard should work - then how would a list of MAC OUI's be built - or multiple MAC OUI's wild-carded in the same static host list?

Thank you

Tom R

If I try adding multiple expression then authentication failed, I separated each using a comma

The field ask for regular expressions (http://en.wikipedia.org/wiki/Regular_expression). In regular expressions, the asterisk (*) means: 'match zero or more of the previous characters'.

So, 0022fb* would match for example: 0022f, 0022fb, 0022fbb, 0022fbbbb, etc. but only 'b' at the end. If you want to match anything that starts with 0022fb, the regular expression would be 0022fb.* (dot-asterisk). The dot will match any single character, the asterisk makes that a match for any number of any characters.

If you see the example, for MAC addresses it should be separated with dashes; so:

00-22-FB-.*

should match any MAC address starting with 00:22:FB / 0022fb / 0022:fb / 00-22-fb depending how you write MAC addresses.

The Example 08-00-07-.*-A9-2[BF] would match mac addresses that start with 08-00-07- then any value, then -A9-2B or -A9-2F (the [ ] means one of)

If you use .* instead of *, it will probably work better..  Without knowing the full background, using profiling to detect specific types of devices like voip phone or the MAC vendor,  might better fit what you want to achieve (it does in many cases where people want to use regexes).

Herman

Why not setup role mappings based on the OUIs rather than a static host list?    Then use this role for your enforcement policy.   I think that would be easier than trying to determine a regular expression that works for 60+ OUIs.

The rationale behind grouping MAC OUI's into 6 different static host lists reduces the roles from 60 down to 6 thus simplifying the configuration or management.  I will try your method again and continue my testing - but would prefer since Regular expressions does allow wildcards to go that route if at all possible.

Thank you

Tom R

Just out of curiousity, do you know that ClearPass uses MAC prefixes as part of the profile process and you can actually use the "MAC Vendor" option in a role map?

Yes, I did know that and part of that AUTH process requires portions of the fingerprint - but in this case we have to be more specific due to device and network overlaps. I cannot give too much details due to the nature of the business.  But thank you for that reminder as it gives me another idea.

Thank you

Tom R