Security

 View Only

  • 1.  Duplicate Static HSot List Entries

    Posted Oct 21, 2025 06:06 AM

    Hi,

    After a power failover test on our customer site, a printer than was previously working fine was noted to be obtaining a different IP from a different vlan subnet. A duplicate MAC entry in a completely unrelated vlan static host list was subsequently noted, - deleted to resolve the issue. 

    What dictates which static host entry will be sourced in a duplicate-MAC scenario ? IS it the relative position in the list that gets priority ? The wrong subnet that was picked up had its MAC entry higher up in the static host list compared to the intended static host list. It seems the power test triggered re-authentication, which led to this wrong subnet being obtained from the other static host list ?

    Thanks in advance

    Richard



    -------------------------------------------


  • 2.  RE: Duplicate Static HSot List Entries

    Posted Oct 21, 2025 06:39 AM

    Hi,

    In ClearPass, when a MAC address exists in more than one Static Host List, the system uses the first match found in the order the lists are processed. This means the duplicate entry appearing earlier in list evaluation will take precedence, which can result in the wrong VLAN or enforcement profile being applied during re-authentication.

    Recommended steps:

    1. Review all static host lists under Configuration → Identity → Static Host Lists and search for duplicate MACs.

    2. Ensure each MAC address exists only once across all lists to prevent unpredictable behavior.

    3. If multiple VLANs are used, consider defining VLAN assignment through roles or enforcement profiles instead of multiple static lists-this avoids conflict during failover or re-authentication events.

    4. After cleanup, trigger a re-authentication to confirm the correct VLAN is applied.

    ClearPass does not automatically resolve duplicate entries; it simply uses the first matching record it encounters. Removing duplicates is the proper fix.

    Cheers,

    Vigan

    -------------------------------------------



  • 3.  RE: Duplicate Static HSot List Entries

    Posted Oct 23, 2025 03:44 AM

    Many thanks Vigan, I figured it had to be follow some logic like that. thanks for your input

    -------------------------------------------

    Original Message


  • 4.  RE: Duplicate Static HSot List Entries

    Posted Oct 23, 2025 03:54 AM

    One thing I'm still puzzling over is how the device (printer) ever managed to work on the correct printer vlan (with dedicated SHL). The policy rule for alternative VLAN (for APs) is higher up the enforcement policy order, and port was always configured for Clearpass MAC-auth, as opposed to static. Any ideas ?

    -------------------------------------------

    Original Message


  • 5.  RE: Duplicate Static HSot List Entries

    Posted Oct 21, 2025 10:22 AM

    Also, avoid using SHL.  You're much better off registering the device in the guest device repository and then writing policy around that.  Easier to administer, more flexible options.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: Duplicate Static HSot List Entries

    Posted Oct 23, 2025 03:45 AM

    Thanks for your input Carson

    -------------------------------------------

    Original Message


Related Content