Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Creating a mac address whitelist using the internal DB

This thread has been viewed 8 times

  • 1.  Creating a mac address whitelist using the internal DB

    Posted Feb 24, 2014 09:13 AM

    I am attempting to implement a mac address whitelist for one of our VLANs. I'm using the internal database to store these mac addresses. Previously, the internal DB was only used for guest provisioning, and so every user automatically gets the role 'guest'

     

    The VLAN I want to filter has the default role of logon, so if I understand it right, I should change the initial role to denyall, and then when I store the mac addresses in the internal db, their roles should be 'logon'

     

    Unfortunately I  cannot assign a different role to the entries in the internal db. I do not have the option to select a role from the 'add user' dialog, and if I try adding via the command line with this command:

     

    local-userdb add username <mac> password <mac> role logon 

     

    it tells me I have invalid input, but without the "role logon" it adds the entry fine (with guest as the role).

     

    I was not around when the guest provisioning was initially set up but it seems like something overriding my requests to use a different role and I can't figure out what! Any ideas?



  • 2.  RE: Creating a mac address whitelist using the internal DB

    EMPLOYEE
    Posted Feb 24, 2014 09:53 AM

    In the AAA profile, you can set the default role for a successful mac auth.  Your initial role in the AAA profile can be the "deny all" role.

     That will override any role you put in the local-user-db

    mac.png



  • 3.  RE: Creating a mac address whitelist using the internal DB

    Posted Feb 24, 2014 10:18 AM

    see now this leads to another oddity. When I go to my AAA profile these are the only options I have... it was because of this that I started looking how to change the role in the internal database in the first place...

     

    CAqHulH.png



  • 4.  RE: Creating a mac address whitelist using the internal DB

    EMPLOYEE
    Posted Feb 24, 2014 10:24 AM
    Do you have the PEF (policy enforcement license) installed?


  • 5.  RE: Creating a mac address whitelist using the internal DB

    Posted Feb 24, 2014 10:29 AM

    If that's the Policy Enforcement Firewall license, then no it reads as Disabled

     

    is this required in order to do mac filtering, even if I don't require any other firewall features?

     

    (just to add to this, currently our controller uses 802.11 authentication and also captive portal login for guest accounts)



  • 6.  RE: Creating a mac address whitelist using the internal DB

    EMPLOYEE
    Posted Feb 24, 2014 10:40 AM

    I don't know, but you cannot have any different roles besides "logon" and "guest" when you don't have the PEF license.

     

    I am not sure that you can layer another type of authentication on top of an existing one without the PEF license.



  • 7.  RE: Creating a mac address whitelist using the internal DB

    Posted Feb 24, 2014 10:58 AM

    oh I see, so even though 'logon' is an available role, I may not be able to define a role other than 'guest' for the internal database and/or likewise for the AAA profile's mac authentication role?



  • 8.  RE: Creating a mac address whitelist using the internal DB

    EMPLOYEE
    Posted Feb 24, 2014 10:59 AM
    Correct.


  • 9.  RE: Creating a mac address whitelist using the internal DB

    Posted Feb 24, 2014 11:14 AM

    okay, we'll look into getting things worked out, thanks for your help!