Security

I used to be able to import bulk mac addresses into a static host list in CPPM 6.6 using the following format:

<StaticHostLists>
<StaticHostList description="" name="Static Hosts" memberType="MACAddress" memberFormat="list" members="00:14:d1:f1:a9:b1, 00:20:00:98:7b:b4, 80:c6:ab:41:6c:b7"/>
</StaticHostLists>

But now, with 6.7 when I export the list it has the following format:

<StaticHostLists>
<StaticHostList description="" name="CCSD-Secure Allowed Device List" memberType="MACAddress" memberFormat="list" >
<Members>
<Member address="aa:bb:cc:dd:ee:ff"/>
<Member address="a1:b2:c3:d4:e5:f6"/>
<Member address="ab:cd:ef:12:34:56"/>
</Members>
</StaticHostList>
</StaticHostLists>

Each MAC Address has a "Member address" beforfe it.  How can I do a bulk import of MAC addresses this way?

Add additional <MEMBER> statements. This was done to accommodate the new description field. XML export formats can change at any time.</MEMBER>

I'm not sure what you mean by add additional statements.

For each MAC address, add:

 

<Member address="aa:bb:cc:11:22:33"/>

Wow, that's going to be a PITA for 500 MAC address.

Why are you using Static Host Lists? Device Registration is recommended.

I've never heard of device registration.  What exactly is it and how does it differ from Static Host Lists?

Static Host Lists provide no context and should not be used.

Device Registration registers the device with a role assignment, expiration and other attributes.

We use static host lists as part of our 802.1x enforcement profiles.  So a computer has to in a static host list, and machine authenticated on our domain for it to get put in our machine autt role. 

 

How would I use device registration in this context for onboarding hundreds of new devices?

Why would a MAC address to be used for this? MAC address can be easily changed and many devices use MAC randomization now.

What does this accomplish if you’re already using Machine Authentication? MAC address provides no security value.

I don't see how it provides no value just because it's simple to spoof MAC addresses these days.  That doesn't make it easy to determine what MAC address(es) you need to spoof.

 

Regardless, this is our current setup and I don't have the authority to change it.  I'm just looking for the easiest way to import a list of 500+ MAC addresses into a Static Host List.  But it looks like you're saying there isn't one.

The REST API is always the easiest and most programmatic way to update entities.

I see that making perfect sense for guest registration.  But for company owned (in our case school owned) devices where we have employees that need to "register" hundreds of devices at once, I still think static host lists hold value.

The REST API is available for all ClearPass entities including Static Host Lists.

I see.  Is there any documentation on how I could append a current SHL with hundreds of new MACS using the REST API?

The API explorer is available at /api-docs

---

@cappalli wrote:
Static Host Lists provide no context and should not be used.

Device Registration registers the device with a role assignment, expiration and other attributes.

---

Hi Tim,

Static Host List was suggested to me as a way to authenticate IAPs that want to create tunnels to a MC. (Currently using manual 'whitelist-db' commands on the MC). Is Static List no longer recommended for this purpose?

For infrastructure-like functionality like that, SHLs are a solution. They're just not the best solution for endpoints / client devices.