Security

Reply
Contributor II

Mac + User Auth and/or MAchine and User auth for same SSID

 

Using Clearpass and IAPs, I have one SSID that needs to be able to do machine & user auth, plus mac and user auth via static hosts. Machine and user auth for domain machines and Mac and user auth for non-domain devices i.e. ipads etc. I was able to get the machine and user auth to work. Im having trouble getting the mac auth. I was referencing http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-MAC-Authentication-configuration-against-static-host-list/ta-p/180662   which doesn’t get me there. Do I need to setup a different service for the Mac and user Auth or can I add the Mac auth to the Machine and user auth service without hosing it? How to do this?

Advice and articles welcome. Thxs

Guru Elite

Re: Mac + User Auth and/or MAchine and User auth for same SSID

I would not recommend using static host lists for large numbers of devices as it can become unmanageable. I would recommend creating a custom attribute in the endpoint database or use the built in Known endpoint status for authorizing MAC addresses. 


Thanks, 
Tim

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Mac + User Auth and/or MAchine and User auth for same SSID

Its a small mac list. Do you have instructional documents on how to do any of this stuff ?

Guru Elite

Re: Mac + User Auth and/or MAchine and User auth for same SSID

Here is the basic setup, but what authentication type/method are you using? EAP-TLS? EAP-PEAP?

 

- Add the Endpoints Repository as an authorization source in your service.

- Add a new rule to your enforcement policy like below:

 

endpoint-status-known.PNG

 

- Set endpoints to "Known" in the endpoint database.

 

epdb-known.PNG


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Mac + User Auth and/or MAchine and User auth for same SSID

Tim, I will give this a try tomorrow. How does Clearpass determine is a device is known vs unkown? 

Guru Elite

Re: Mac + User Auth and/or MAchine and User auth for same SSID

All devices are Unknown unless:

 

- You manually manually mark them as Known,

- You use an enforcement action to them to Known based on other values,

- You import a list of MAC address with the Known flag


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: