Security

I'm trying to set up a clearpas mac-auth service for all our Aruba APs. Theory is that I build up a list of appropriate mac address prefixes and use them to generate the appropriate enforcement policy to drop them into the right vlan.

What I've done is

1). Create a number of regex static host lists eg.

Name "Aruba AP225"

Host format Regular Expressions

Host Type mac address

RegEx - ^18-64-72-2[0-9A-F]-2[0-9A-F]-2[0-9A-F]$

so in theory all mac addresses starting with 18-64-72 are defined as being AP225s

2). Create an authenticaiton source

Name  Aruba AP list

Type Static Host List

Mac address host list - ArubaAP 225,ArubaAP 275,ArubaAP 125......

3 Create service

Name UoY Aruba AP authentication

Service Rule

All of following

radius:ietf nas-port-type = Ethernet

radius:ietf Service-Type = Call-Check

Authentication Source Belongs_to "Aruba AP List"

An auth from an AP 225 mac address doesn't pick up this service, it drops down into the generic mac-auth service defined later on. If I remove the Auth:source... service rule and replace it with one saying  radous:ietf User-Name Starts-With ...... then the service is picked up just fine.

Don't really want to have to specify all the mac prefixs in order to select this service, what am I doing wrong?

Rgds

Alex

I use a role map instead of a static host list as I find it to be more reliable.

I haven't played at all with CPPM regexps but in ROTW regexp syntax, 2[0-9A-F] means "match the number 2 follow by a hexdigit".  Only some

regexp syntaxes like PCRE support numeric quantifiers like [0-9A-F]{2}, and just writing [0-9A-F][0-9A-F] would be more self-explanatory.  Also,

check for case folding issues.