08-26-2019 03:32 AM
we just configure a new clearpass 6.8 to do 802.1x and mac auth (cisco switches)
802.1x work fine with AD.
the mac auth work only if i first add manually the mac to identity source like static-host-list
i am looking for a way to do this:
allow all the mac addresses (regardless of auth source) in the company by mac auth for a period of time (policy that permit any)
after a week put all the mac-address in a static-host-list and use it as an authentication source.
from now on new mac addresses will be rejected
Re: mac auth
08-26-2019 04:42 AM
Is there a reason you need MacAuth for the devices doing 802.1x? MacAuth is not a strong security mechanism (mac can be spoofed easily) and is usually added as an option only for the devices that cannot do 802.1x, like old printers and scanners or providing guest access on "colorless" ports.
If you want to identify the device performing 802.1x, there are other options like using machine auth in addition to user auth or create a custom attribute and check against it.
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Re: mac auth
08-28-2019 10:54 AM
Before performing any authentication I first, setup Passive and Active Profiling on CPPM. This populates the EndPoint Database with all the devices on your network.
Then you can set those EndPoints you want to allow access using MACAUTH to "Known" devices then only allow Known devices onto the network.
The devices are also profiled so you can use any of the profile and fingerprint information to further control access . i.e. If the device is a printer put it in the "Printer" VLAN.