Wired

Hello,

We are deploying MAB AUTH policies in our wired ethernet connections that are not computers/desktop/workstations etc. It could vary from "security cameras" to "printers" to "scanners", VOIP phones etc.  

My question is, what would be the recommended way to allow 'known mac vendors/addresses' but alert if a new or seeing mac vendor for the first time in environment.. We can play with known/unknown, but e.g 'HP' can cover many MAC OUI, whereas in our environment only 2-3 of their MAC vendor may be seen.  Only way is to get granular with MAC addresses and apply roles to it? 
or allow mac vendors (Regardless of how many OUI they own).

Is there a better way to do / inspect peripherals devices in your environment using MAB? 

Not fully sure what you would like to achieve, but in general the following approach works quite nice:

• Use 802.1X for managed devices and other device that can do 802.1X
• Fallback to MAC Authentication for devices that can't do 802.1X; where you would use ClearPass profiling to find the device type more granular than just the MAC vendor.
• Use specific attribute on the Endpoint in ClearPass to assign a specific role/VLAN;
• If there is still no match, use profiled device types to assign groups of devices to a role/VLAN, for example all 'HP Printers' or 'Ascom VoIP phones'. 
• Assign all other (unknown) devices to a profiling role/VLAN, and optionally trigger alerts/helpdesk tickets or a captive portal for end-users to register their devices.

Your Aruba partner would be able to design this or set this up.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 11, 2023 12:12 AM
From: AZ245
Subject: CPPM MAB scalability?

Hello,

We are deploying MAB AUTH policies in our wired ethernet connections that are not computers/desktop/workstations etc. It could vary from "security cameras" to "printers" to "scanners", VOIP phones etc.  

My question is, what would be the recommended way to allow 'known mac vendors/addresses' but alert if a new or seeing mac vendor for the first time in environment.. We can play with known/unknown, but e.g 'HP' can cover many MAC OUI, whereas in our environment only 2-3 of their MAC vendor may be seen.  Only way is to get granular with MAC addresses and apply roles to it? 
or allow mac vendors (Regardless of how many OUI they own).

Is there a better way to do / inspect peripherals devices in your environment using MAB?