That particular flag is used by a MAC auth service to determine if authentication is allowed or not. Any other service you would still have to write policy around unknown/known/disabled. The problem is, most any situation where a decision on a MAC address is going to be the allow/deny choice is probably going to result in the device attempting to connect multiple time. Rather than constantly having to reject the connection, allow the connection, deny all traffic, and place them in a blackhole VLAN.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Apr 23, 2024 12:38 AM
From: Mithran
Subject: Blocking a Endpoint in CPPM
But disabled clients also don't have access to the network, correct?
Original Message:
Sent: Apr 22, 2024 09:59 AM
From: chulcher
Subject: Blocking a Endpoint in CPPM
You'll need to write policy around handling the attribute, but don't deny the client device. Allow the connection and assign a role that doesn't allow any traffic to flow, otherwise you'll see the client reconnect constantly.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 22, 2024 07:41 AM
From: Mithran
Subject: Blocking a Endpoint in CPPM
we use Clearpass for guest authentication. In case we need to permanently prevent a mac address from connecting to the guest SSID,
Is it the right approach if we modify the endpoint status to disabled client?