Dell Powerconnect W-ClearPass Virtual Appliances W-ClearPass Guest 6.0 Deploym - Page 57
Importing MAC Devices, Advanced MAC Features, 2-Factor Authentication, MAC-Based Derivation of Role
View all Dell Powerconnect W-ClearPass Virtual Appliances manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 57 highlights
3. In the Policy Manager row, mark the check box to register the guest's MAC address with ClearPass Policy Manager. The Advanced row is added to the form. 4. In the Advanced row, mark the check box to enable advanced options in ClearPass Policy Manager. The Endpoint Attributes row is added to the form. 5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed. 6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and Reload to proceed to Policy Manager and apply the network settings. Importing MAC Devices The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record. Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would probably add mac as a text field to the create_user form. When mac is enabled in a self-registration it will be included in the account as long as mac is passed in the URL. Relying on self-registration may defeat the purpose of two-factor authentication, however. The 2-factors are performed as follows: 1. Regular RADIUS authentication using username and password 2. Role checks the user account mac against the passed Calling-Station-Id. Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from Always to Enter conditional expression. return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject(); There is an alternative syntax where you keep the condition at Always and instead adjust the Value.