Security

I realize it's not recommended to use Static Host Lists anymore but that's not a discussion I'm interested in having today.

I have MAC addresses that are disappearing from my static host lists.  I know this becuase I export the Static Host Lists once a month as a backup.  What I'm seeing is computers with MAC addresses that are in the list one month and then they stop authenticating to Clearpass.  I then manually add the MAC address (which exists in the previous SHL backup), and it lets me add it which tells me it's not currently there.  Is there some type of limit or bug that would be causing this kind of behavior?

sidestepping the static host list, for the moment.

would it be possible to set up a SQL database and use that as your authentication source for the MAC addresses?

Please check the audit viewer to see if there is any change to the static host list. By default audit data will be stored for 7 days. The migration to a other data source (Endpoint or Guest Device database) is a good idea! :)

---

@Willem Bargeman wrote:

Please check the audit viewer to see if there is any change to the static host list. By default audit data will be stored for 7 days. The migration to a other data source (Endpoint or Guest Device database) is a good idea! :)

---

I did, there are very rarely changes and everything that shows there is me adding editing the Static Host list (usually adding a MAC address that has somehow disappeared from the list) every few weeks.

I use the static host lists in my 802.1x policy for machine authentication.  So in order for my Windows devices to get put in the machine auth role, their MAC has to be in the SHL and the computer has to be joined to my AD domain.  Is there any other way to do this without an SHL?

I just don't understand why MACs would be dropping from the list.

When your are 802.1x I don't see the reason why you are using SHL. With 802.1x you can do the authorizated based on the LDAP information. 

A alternative solution for SHL is using the Endpoint database. You can create additionals attributes in the endpoint database and use this during authorization and use this during the role mapping / enforcement.

---

@Willem Bargeman wrote:

When your are 802.1x I don't see the reason why you are using SHL. With 802.1x you can do the authorizated based on the LDAP information. 

 

A alternative solution for SHL is using the Endpoint database. You can create additionals attributes in the endpoint database and use this during authorization and use this during the role mapping / enforcement.

---

Can you elaborate a bit on what you mean by LDAP information?

How I have it working now is machines need to match two sets of criteria.  Both the SHL and Active Directory machine authentication to get put in the machine auth role.  I want to keep is that way.

Are you saying I can migrate all my MAC's to the endpoint database and use that as one of the criteria in my 802.1x enforcement policy?

---

@JimPhreak wrote:

---

@Willem Bargeman wrote:

Please check the audit viewer to see if there is any change to the static host list. By default audit data will be stored for 7 days. The migration to a other data source (Endpoint or Guest Device database) is a good idea! :)

---

I did, there are very rarely changes and everything that shows there is me adding editing the Static Host list (usually adding a MAC address that has somehow disappeared from the list) every few weeks.

I use the static host lists in my 802.1x policy for machine authentication.  So in order for my Windows devices to get put in the machine auth role, their MAC has to be in the SHL and the computer has to be joined to my AD domain.  Is there any other way to do this without an SHL?

I just don't understand why MACs would be dropping from the list.

---

Devices are automatically added to the machine authentication database and get the role [Machine Authenticated] when they authenticate with a username of 'host/'.  That status is cached and can also be cleared:  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_ClearMacAuthCache.htm?Highlight=machine

---

@cjoseph wrote:

---

@JimPhreak wrote:

---

@Willem Bargeman wrote:

Please check the audit viewer to see if there is any change to the static host list. By default audit data will be stored for 7 days. The migration to a other data source (Endpoint or Guest Device database) is a good idea! :)

---

I did, there are very rarely changes and everything that shows there is me adding editing the Static Host list (usually adding a MAC address that has somehow disappeared from the list) every few weeks.

I use the static host lists in my 802.1x policy for machine authentication.  So in order for my Windows devices to get put in the machine auth role, their MAC has to be in the SHL and the computer has to be joined to my AD domain.  Is there any other way to do this without an SHL?

I just don't understand why MACs would be dropping from the list.

---

Devices are automatically added to the machine authentication database and get the role [Machine Authenticated] when they authenticate with a username of 'host/'.  That status is cached and can also be cleared:  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_ClearMacAuthCache.htm?Highlight=machine

---

Pardon my post.  When I say "machine authentication role" I mean my own role that I created.  I have my own role called "MYNETWORK-machineauth" that my windows machines get placed in when they match my criteria (SHL + Windows AD lookup).  That role has specific ACL's assigned to them that is more restrive then when the user signs with with their AD credentials which puts them in a different role.

Understood.

I think the thing here is that SHLs seem to be good when you want to do a quick and dirty change for a handful of clients, but it becomes unwieldy for managing alot of clients.

---

@cjoseph wrote:

Understood.

 

I think the thing here is that SHLs seem to be good when you want to do a quick and dirty change for a handful of clients, but it becomes unwieldy for managing alot of clients.

---

Got it.  Is the only recommended way to just drop the requirement of referencing a SHL?  Even though I know MACs can easily be spoofed, I really do like having that extra security layer.

No, there are a few other ways that are more flexibile.

WARNING, alot of reading ahead:

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Best-practices-and-points-to-remember-while-deploying-user-and/ta-p/260781

@cjoseph wrote:

No, there are a few other ways that are more flexibile.

 

WARNING, alot of reading ahead:

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Best-practices-and-points-to-remember-while-deploying-user-and/ta-p/260781

---

Thanks I will read this now.

@cappalli wrote:
Device Registration is always recommended over SHL.

---

How exactly does Device Registration work?  I have an SSID that is used both for domain devices (currently if the machine maches SHL and is domain joined) and BYOD (user devices that don't match SHL).

I want to keep using the same SSID but only allow my 2,500 or so Windows devices to get put in "MYNETWORK-machineauth" role.

---

@cappalli wrote:
In that case, you really shouldn’t be using MAC at all. Use machine authentication.

---

So you're recommendig I just drop the requirement to match a the list of devices I have and use windows ad machine authentication as the only requirement for access?

YESSSSSS!!!!

Just check for the [Machine Authenticated] role!

---

@JimPhreak wrote:

---

@Willem Bargeman wrote:

Please check the audit viewer to see if there is any change to the static host list. By default audit data will be stored for 7 days. The migration to a other data source (Endpoint or Guest Device database) is a good idea! :)

---

I did, there are very rarely changes and everything that shows there is me adding editing the Static Host list (usually adding a MAC address that has somehow disappeared from the list) every few weeks.

I use the static host lists in my 802.1x policy for machine authentication.  So in order for my Windows devices to get put in the machine auth role, their MAC has to be in the SHL and the computer has to be joined to my AD domain.  Is there any other way to do this without an SHL?

I just don't understand why MACs would be dropping from the list.

---

Devices are automatically added to the machine authentication database and get the role [Machine Authenticated] when they authenticate with a username of 'host/'.  That status is cached and can also be cleared:  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_ClearMacAuthCache.htm?Highlight=machine