Then an enforcement/role map like this may work for the 802.1X service:
Rule 1: NAD IP = <NAD IP of the switch> AND AD:Groups EQUALS <authorized user group> AND Endpoint:LabPC EQUALS True => Allow privileged access
Rule 2: NAD IP = <NAD IP of the switch> => Allow no/limited access + send alert
Rule 3: rest of your rules... for the other switches
Thing is that I'm quite sure that this might oversee some scenarios, and it is really hard in a forum to provide the proper guidance. Also, I'm convinced that when you found your solution, at that point it looks really obvious but to get there may take some and brainstorming about all conditions and exceptions.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 27, 2023 08:45 AM
From: ohertzel
Subject: Clearpass wired Mac static list and 802.1X.
Hello herman
I want to set up a clearpass rule that allows users who are part of an AD LABO group to connect to 20 computers in a room
This room has its own switch ( Aruba 2930 )
I don't want another computer to be able to connect in this room
I have as data
- The MAC address of the PCs
- The AD group of users
- The NAD IP
We were accompanied by an ARUBA pre-sales and a sales representative who helped us on the first project.
The project was done very quickly and I did not have time to follow the official trainings.
When I ask certain questions, I am referred to documents that I have read at least 3 times
I'm part of a large group and my colleagues aren't as advanced as I am on clearpass
I've seen all your videos, videos on udemy, book official certification study guide
I know that training does not replace experience
So my only solutions are to ask for help on the community
And to pass the clearpass training (scheduled in 4 months)
Thank you for your help
If you have interesting books or contacts, can you share me please
Original Message:
Sent: Jan 27, 2023 06:16 AM
From: Herman Robers
Subject: Clearpass wired Mac static list and 802.1X.
Olivier,
There are many unknowns, and what you are asking for is coming down to make a design for a good security policy and the implementation. I would really recommend to work with your Aruba partner or consultant to first create a proper design. There are many things possible with ClearPass, but that does not necessarily be what matches your environment.
You probably would not do a separate MAC authentication as in the 802.1X service you can include checks on the MAC Adress, lookups in the Endpoint Database, verify against a database, check if the switch or switch port is in a specific location, and much more. But MAC+802.1X for clients that do 802.1X you would do in the 802.1X service; and you may use a separate MAC authentication service for clients that don't do 802.1X.
As Ariyap mentions, this is covered in the Wired Policy Enforcement guide (link a few responses back) and going through a ClearPass training or the ClearPass Workshop video series will cover the building blocks for your scenario. In most cases, it's best to get the knowledge and experience from someone external to make sure you start with a good design that works and matches what you want to achieve.
EDIT: To respond to the topic: Static MAC lists is probably one of the worst methods to achieve whatever your requirement is... there are better methods that are better manageable. Static lists are deprecated and should only be used in some corner-cases, if at all. I don't want to be harsh, but would not want you either to spend a lot of time on researching something that has better solutions if you look at the design requirements.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 27, 2023 05:48 AM
From: ohertzel
Subject: Clearpass wired Mac static list and 802.1X.
hi jonas,
the student computers in LAB room authenticate just whith MAB
they are not in AD domain
this computer are desktop in this LAB Room, they don't move
it's not a bring your own device scenario
For the computer, just Mac authentification
I need to authenticate computers first
If the computer is in the authorized mac address list, then the student can log in with his AD 802.1X account
PCs are Ubuntu
thank you for your reply
Original Message:
Sent: Jan 27, 2023 04:43 AM
From: jonas.hammarback
Subject: Clearpass wired Mac static list and 802.1X.
Hi Oliver
Can you describe how the student computers authenticate? Is it managed computers joined to Active Directory?
Is it a bring your own device scenario? Are you using EAP-PEAP, EAP-TLS or EAP-TEAP as authentication method?
Instead of trying to do both 802.1x and MAC authentication, you can work with any of the folowing as authorization information in the 802.1x:
- group membership in the Active Directory for the computer (require that the computers are domain joined)
- ClearPass Onboard for devices that should have access to the secured network
- external system for authorized devices to connect to the secured network. Could be Intune, Jamf, or other MDM tool, CMDB etc.
- Assign the devices that are allowed to connect to the seccured network a role in ClearPass, either by adding a role under Guest Device Repository or custom attributes in Endpoints Repository
- If the device typs are different, you may be able to have rules based on the profiling information.
- A combination of any of the above methods
Personally I would prefer ClearPass Onboard or AD group membership to distinguish the clients. But integration with Intune or similar system will also work good.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 27, 2023 03:39 AM
From: ohertzel
Subject: Clearpass wired Mac static list and 802.1X.
Hi,thank you for your replyI need to do both MAB and 802.1X authentication as I am in a sensitive university environmentSome students need to have access to a sensitive network with certain PCs.But these same students when they are connected with other PC than those of the sensitive environment, then they are connected to the classic network like the other students
best,
Olivier
Original Message:
Sent: Jan 25, 2023 04:54 PM
From: lord
Subject: Clearpass wired Mac static list and 802.1X.
Hi @Olivier,
what do you want to realize with this combination? 802.1x is a very secure authentication method and mac-address authentication is totally insecure. If I had the choice I would clearly prefer 802.1x.
You can set up 802.1x and fallback to mac-address authentication on the Aruba switch. You can configure the order and priority. But you can't really use both authentication types at the same time.
If you really need to do mac-address authentication, then use the [Guest Device Repository] rather than a static host list. This way you are much more flexible and can use e.g. rolemapping or set an expiration date.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 25, 2023 07:59 AM
From: ohertzel
Subject: Clearpass wired Mac static list and 802.1X.
Hi,
I'am pretty new in clearpass and I'am looking for connect wired PC with Mac static list and 802.1X.
My switch is Aruba 2930F
In my use case I want to connect a PC which is in a static MAC list with 802.1X
anyone have à process ? Or someone can explain to me
best,
Olivier