My customer would like to secure the wired port to which he is connecting an Aruba outdoor AP. If you enabled MAC-auth on the host switch and also configured the default gateway to forward DHCP requests to ClearPass, how would the AP appear to the fingerprinting function in CPPM? Would it be a unique enough device type to lock down that switch port not just to the MAC but to Aruba APs only?
It would look like this:
Thanks Colin - that would present another hurdle, for users looking to simply plug in to the AP's switch port... Could we write a CP rule that requires the device on that port to have the matching device name, too..?
You would have to compare it against a static mac address list of allowed APs. Just checking for an Aruba AP would allow ANY Aruba AP to connect.
Sure; MAC-auth is my planned 'first barrier':
1) MAC auth against the installed APs MAC
2) Permit only device name Aruba networks-AP-224 (or whatever the AP type happened to be)
Thanks for your help, as always... :)
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.