New Contributor

Re: Onboard - Restrict onboard services to only devices in static host list

Hi Nick and Tim,


I'm trying to do something similar where I want to restrict onboarding to both a static host list as well as AD credentials. The intention is that only whitelisted devices can be onboarded by staff.


Onboarding is occurring via an onboarding SSID, and after onboarding devices will be on a corporate eap-tls SSID.


The trouble I'm facing is that even though I've created a static host list as an authentication source, the option to use it as an authorization source is greyed out.


In my enforcement policy I wanted the ruleset to look something like:

tips // role // equals // user authenticated

Connection // Client-Mac-Address // BELONGS_TO_GROUP // --SHL-- name


I'm not able select or get the SHL component working. I tried setting the onboard authorisation to radius as well as application (two separate services) and was unable to get either working with the SHL. Onboarding without the SHL works fine.


Do you have any suggestion or ideas on how I could get this working? I thought another option would be to host a sql db externally and use it as an authorisation source but it seems like this should be achievable with the SHL..


Thanks in advance. Cheers,





Super Contributor II

Re: Onboard - Restrict onboard services to only devices in static host list

How is doing the onboard? Staff or the end user. If staff is doing the onboard you can use some authorization attributes from the authentication source, for example an AD group where the staff people belongs to.


If you want to filter based on the client MAC address I should say use the endpoint database for this. You can add on additional attribute in the Endpoint database and filter on this.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
New Contributor

Re: Onboard - Restrict onboard services to only devices in static host list

Hi Willembargeman,


Thanks for the reply. The onboarding will be performed by the end users (who happen to be staff members).


The reason I want to authorize against the SHL is to make sure the device being onboarded is a managed device, and not just any BYOD device the end user tries to onboard. The customer is using a cloud version of Sophos MDM which unfortunately doesn't have any native integration with ClearPass. I only want to allow devices that are under Sophos MDM management to be onboarded.


The plan I came up with was to export the list of device MAC addresses from sophos into the SHL, and then use the SHL as an authorization source when onboarding.


I realise the SHL will have to be manually maintained but without any native integration this is a limitation I have to work with. I thought it would be simple to add a MAC address validation to my onboarding authorization policy but it's proving harder than I expected.


Also worth mentioning that the 'onboarding SSID' is available to public/visitors which is why I want to use a combination of both AD credentials and the SHL.

I was hoping that when adding the SHL as a static host list that I would be able to tick the box in this screenshot to enable it as an authorization source but it's greyed out..



Guru Elite

Re: Onboard - Restrict onboard services to only devices in static host list

Belongs to group with an SHL will always work without an auth source.

Why would you authorize based on MAC address though? Kind of defeating the
point of a secure credential.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: