Security

This is for iot devices connected to Aruba 2930F wired switches.  We want to setup CPPM without security, but we want every wired client device to be forced to have to go thru CPPM.  The goal is for them to be given access without any authentication source the first time and then, use COA to move them to a new vlan.  Can this be done without entering the mac-address, vendor or any info into any database, list, etc. (so that a completely unknown client can get authenticated and moved to a new vlan the 1st time it ever connects to the wired switch).

Hi,

You can create a generic RADIUS service with [Allow All MAC Auth] as the authentication method (on the NAD side, mac-auth should be configured on the ports).

This will actually make any device using MAC-Auth pass the Authentication phase. You can then implement your CoA policy based on the Authorization phase.

Cheers,

Thx Sacha,

First thing to note:  That worked - you were correct

Second thing to note:  The service does force you to have at least one authentication-source.  It won't allow zero sources.  Therefore, I used the endpoints database as the authentication source.  I removed/deleted all endpoints and tested again.  Even though the device rebooted, hit the CPPM mac-auth service and wasn't in the endpoint database, it still did a successful authentication due to the "allow all" authentication method.  Then, the COA rule was applied also using Endpoints database in the authorization tab and the device was placed into the new vlan.