Wireless Access

Occasional Contributor II

clearpass- restricting machine to its dept/ site

Once the machine (Laptop, Smart network device etc) is checked against trusted mac address database than the mac address should be cross checked with group of switches it is allowed on.


For Eg: If the machine belongs to site A. If the machine is moved and brought to site B although the mac address is trusted but is doesnt belong to site B so the access of the network resources should be restricted.

Same in case if different departments...



Is this possible through clearpass..

Guru Elite

Re: clearpass- restricting machine to its dept/ site

You can certainly do that (maintain lists of mac addresses and check them by site), but it would be complicated for the administer to add/remove/change new devices.  If a device does not work at a different site, your helpdesk would also be clogged with requests to find out why the laptop doesn't work, followed by an emergency request for the administrator to "make it work at this site".


Possible, yes...  hard to administer, yes....

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP Guru

Re: clearpass- restricting machine to its dept/ site

You have a couple options you can use:
- if the laptops are part of the domain use AD group membership based on the location in combination with custom Endpoint DB attributes and use those attributes to allow or deny access. (More dynamic less management overhead)

- Use the Guest device repository using TIPS roles based on the location (more management overhead) but is an option for non-domain devices

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
Search Airheads
Showing results for 
Search instead for 
Did you mean: