Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

separating MAC Databases

This thread has been viewed 0 times

  • 1.  separating MAC Databases

    Posted Feb 05, 2015 07:49 PM

    Guys, I have setup Clearpass for wirless networks. I have captured hundreds of MAC addresses from random devices connecting to the SSIDs. Most of which I will never delegate network access too.

    Now I want to apply MAC auth to the wired network. Im guessing the best way to do this is to setup IP helper addresses on the switch to point to Clearpass, however, I don’t want all those wired MAC addresses to live amongst the wireless MAC addresses. All the wired address will be granted access to the network and if they are mixed in with the hundreds of non-approved MAC it would seem to be unmanageable. Can I setup a different MAC database for the wired MAC? Is there a better way for me to do this?



  • 2.  RE: separating MAC Databases

    EMPLOYEE
    Posted Feb 05, 2015 07:50 PM

    No. It's a single database. You can however create custom attributes in the database and then write policies that check for those attributes.



  • 3.  RE: separating MAC Databases

    Posted Feb 05, 2015 08:00 PM

    would that require setting a custom attribute on each MAC manually?

     

     



  • 4.  RE: separating MAC Databases

    EMPLOYEE
    Posted Feb 05, 2015 08:02 PM
    If you want to manually approve devices, yes. Keep in mind that it’s only storing the MAC address. So a wireless adapter MAC would never present to the wired network anyway.


  • 5.  RE: separating MAC Databases

    Posted Feb 05, 2015 08:13 PM

    Dont really want to manually approve devices if there is a better way to do this. The wired side has printers, IP cameras etc. Not quite sure how this will play out but MAC auth seems like a good choice. Im open to suggestions? 

     



  • 6.  RE: separating MAC Databases

    EMPLOYEE
    Posted Feb 05, 2015 08:17 PM
    Didn’t you say you wanted to authorize devices? How else would you do it without a list of devices allowed on?


    *
    You can use the device profile (printer, computer, media player, etc) to let devices on, but that means any device that profiles that way would be let on.
    *
    You can use MACTrac registration
    *
    You could use 802.1X authentication for modern devices and use MAC-authentication (via MACTrac) for “dumb” devices like printers.


  • 7.  RE: separating MAC Databases

    Posted Feb 05, 2015 08:26 PM

    Ok sounds good. I will look into this MACtrac thingamajig

     

    thxs



  • 8.  RE: separating MAC Databases

    Posted Feb 06, 2015 09:52 AM
    I have a case where I group MAC using host list with a descriptive name so I can keep some sore of sanity.


  • 9.  RE: separating MAC Databases

    EMPLOYEE
    Posted Feb 06, 2015 09:54 AM
    The only problem with SHLs is that they don't scale well and are not as extensible as the endpoints repository.