Security

Hi,

After a power failover test on our customer site, a printer than was previously working fine was noted to be obtaining a different IP from a different vlan subnet. A duplicate MAC entry in a completely unrelated vlan static host list was subsequently noted, - deleted to resolve the issue. 

What dictates which static host entry will be sourced in a duplicate-MAC scenario ? IS it the relative position in the list that gets priority ? The wrong subnet that was picked up had its MAC entry higher up in the static host list compared to the intended static host list. It seems the power test triggered re-authentication, which led to this wrong subnet being obtained from the other static host list ?

Thanks in advance

Richard

Hi,

In ClearPass, when a MAC address exists in more than one Static Host List, the system uses the first match found in the order the lists are processed. This means the duplicate entry appearing earlier in list evaluation will take precedence, which can result in the wrong VLAN or enforcement profile being applied during re-authentication.

Recommended steps:

1. Review all static host lists under Configuration → Identity → Static Host Lists and search for duplicate MACs.

2. Ensure each MAC address exists only once across all lists to prevent unpredictable behavior.

3. If multiple VLANs are used, consider defining VLAN assignment through roles or enforcement profiles instead of multiple static lists-this avoids conflict during failover or re-authentication events.

4. After cleanup, trigger a re-authentication to confirm the correct VLAN is applied.

ClearPass does not automatically resolve duplicate entries; it simply uses the first matching record it encounters. Removing duplicates is the proper fix.

Cheers,

Vigan

Hi,

After a power failover test on our customer site, a printer than was previously working fine was noted to be obtaining a different IP from a different vlan subnet. A duplicate MAC entry in a completely unrelated vlan static host list was subsequently noted, - deleted to resolve the issue. 

What dictates which static host entry will be sourced in a duplicate-MAC scenario ? IS it the relative position in the list that gets priority ? The wrong subnet that was picked up had its MAC entry higher up in the static host list compared to the intended static host list. It seems the power test triggered re-authentication, which led to this wrong subnet being obtained from the other static host list ?

Thanks in advance

Richard

Hi,

In ClearPass, when a MAC address exists in more than one Static Host List, the system uses the first match found in the order the lists are processed. This means the duplicate entry appearing earlier in list evaluation will take precedence, which can result in the wrong VLAN or enforcement profile being applied during re-authentication.

Recommended steps:

1. Review all static host lists under Configuration → Identity → Static Host Lists and search for duplicate MACs.

2. Ensure each MAC address exists only once across all lists to prevent unpredictable behavior.

3. If multiple VLANs are used, consider defining VLAN assignment through roles or enforcement profiles instead of multiple static lists-this avoids conflict during failover or re-authentication events.

4. After cleanup, trigger a re-authentication to confirm the correct VLAN is applied.

ClearPass does not automatically resolve duplicate entries; it simply uses the first matching record it encounters. Removing duplicates is the proper fix.

Cheers,

Vigan

Hi,

After a power failover test on our customer site, a printer than was previously working fine was noted to be obtaining a different IP from a different vlan subnet. A duplicate MAC entry in a completely unrelated vlan static host list was subsequently noted, - deleted to resolve the issue. 

What dictates which static host entry will be sourced in a duplicate-MAC scenario ? IS it the relative position in the list that gets priority ? The wrong subnet that was picked up had its MAC entry higher up in the static host list compared to the intended static host list. It seems the power test triggered re-authentication, which led to this wrong subnet being obtained from the other static host list ?

Thanks in advance

Richard

Hi,

After a power failover test on our customer site, a printer than was previously working fine was noted to be obtaining a different IP from a different vlan subnet. A duplicate MAC entry in a completely unrelated vlan static host list was subsequently noted, - deleted to resolve the issue. 

What dictates which static host entry will be sourced in a duplicate-MAC scenario ? IS it the relative position in the list that gets priority ? The wrong subnet that was picked up had its MAC entry higher up in the static host list compared to the intended static host list. It seems the power test triggered re-authentication, which led to this wrong subnet being obtained from the other static host list ?

Thanks in advance

Richard

Also, avoid using SHL.  You're much better off registering the device in the guest device repository and then writing policy around that.  Easier to administer, more flexible options.

Hi,

After a power failover test on our customer site, a printer than was previously working fine was noted to be obtaining a different IP from a different vlan subnet. A duplicate MAC entry in a completely unrelated vlan static host list was subsequently noted, - deleted to resolve the issue. 

What dictates which static host entry will be sourced in a duplicate-MAC scenario ? IS it the relative position in the list that gets priority ? The wrong subnet that was picked up had its MAC entry higher up in the static host list compared to the intended static host list. It seems the power test triggered re-authentication, which led to this wrong subnet being obtained from the other static host list ?

Thanks in advance

Richard