Security

 View Only

  • 1.  ClearPass MAC based auth on multiple switches

    Posted Jul 16, 2025 08:00 AM

    Dear Community,

    I'm trying to create MAC based authentication on multiple switches.

    I have printers connected to one switch, and I have pcs connected to another one.

    My goal is to get an alert If a pcs connects to the printer's switch (or reversed), and get rejected by RADIUS

    I already added the switches to clearpass, and imported the mac addresses in two different static host list.

    Do I have to create two mac auth service for each switch, or is there any policy that can choose between them.

    I'm planning to create this mac authentication service with 20 switches, and I think there's an easier way to create it

    I uploaded some screenshots, right now I seperate the switches with the static hosts lists and this line:

    Connection NAD-IP-Address EQUALS <ip address>

    mac auth service
    auth



  • 2.  RE: ClearPass MAC based auth on multiple switches

    Posted Jul 16, 2025 08:12 AM

    Most customers don't care on which switch someone connects, the switch port will just apply the appropriate configuration/role/vlan for the device that is connected.

    But if you really want to do this, I would use a Network Device Group and then you can either create separate services for both switch types, use a service selection: Connection:NAD-IP-Address belongs_to <Device Group>; or use the device group in your Role Mapping, then modify your enforcement to check both Device Group and other attributes, or you could use an attribute on the Network Device configuration where you set something like 'switch-type = printer'; then check that during your role-mapping and/or enforcement.

    Seems many ways to do what you describe. I would not use Static Host List (SHL) unless there is no other option. SHL is deprecated, and is poorly manageable, thus error-prone.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: ClearPass MAC based auth on multiple switches

    Posted Jul 29, 2025 02:45 AM

    Hello,

    Thanks for your help.

    I managed to create some roles and enforcement policies.

    When a device connects, it gets a custom attribute called "allowed-switch-ip"

    I dont know if it needs more improvement, but right now it's looking fine.

    rm
    ep
    -------------------------------------------

    Original Message


  • 4.  RE: ClearPass MAC based auth on multiple switches

    Posted Jul 16, 2025 08:18 AM

    Probably a good idea to leverage role mapping and profiling. You can have a TIPS role for PC-switch(NAD) and printer-switch(NAD). This way you can identify PC devices authenticating on the printer-switch and same with printers authenticating on the pc-switch.  


    Original Message


Related Content