Security

 

Using Clearpass and IAPs, I have one SSID that needs to be able to do machine & user auth, plus mac and user auth via static hosts. Machine and user auth for domain machines and Mac and user auth for non-domain devices i.e. ipads etc. I was able to get the machine and user auth to work. Im having trouble getting the mac auth. I was referencing http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-MAC-Authentication-configuration-against-static-host-list/ta-p/180662   which doesn’t get me there. Do I need to setup a different service for the Mac and user Auth or can I add the Mac auth to the Machine and user auth service without hosing it? How to do this?

Advice and articles welcome. Thxs

I would not recommend using static host lists for large numbers of devices as it can become unmanageable. I would recommend creating a custom attribute in the endpoint database or use the built in Known endpoint status for authorizing MAC addresses. 


Thanks, 
Tim

Its a small mac list. Do you have instructional documents on how to do any of this stuff ?

Here is the basic setup, but what authentication type/method are you using? EAP-TLS? EAP-PEAP?

 

- Add the Endpoints Repository as an authorization source in your service.

- Add a new rule to your enforcement policy like below:

 

 

- Set endpoints to "Known" in the endpoint database.

 

Tim, I will give this a try tomorrow. How does Clearpass determine is a device is known vs unkown? 

All devices are Unknown unless:

 

- You manually manually mark them as Known,

- You use an enforcement action to them to Known based on other values,

- You import a list of MAC address with the Known flag