Importing Mac Devices; Advanced Mac Features; 2-Factor Authentication; Mac-Based Derivation Of Role - Dell Powerconnect W-ClearPass Hardware Appliances Deployment Manual

3. In the Policy Manager row, mark the check box to register the guest's MAC address with ClearPass Policy
Manager. The Advanced row is added to the form.
4. In the Advanced row, mark the check box to enable advanced options in ClearPass Policy Manager. The
Endpoint Attributes row is added to the form.
5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed.
6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and Reload to
proceed to Policy Manager and apply the network settings.

Importing MAC Devices

The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two
columns are required: mac and mac_auth.
mac_auth,mac,notes
1,aa:aa:aa:aa:aa:aa,Device A
1,bb:bb:bb:bb:bb:bb,Device B
1,cc:cc:cc:cc:cc:cc,Device C
Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

2-Factor Authentication

2-factor authentication checks against both credentials and the MAC address on record.
Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would
probably add mac as a text field to the create_user form. When mac is enabled in a self-registration it will be
included in the account as long as mac is passed in the URL. Relying on self-registration may defeat the purpose of
two-factor authentication, however.
The 2-factors are performed as follows:
1. Regular RADIUS authentication using username and password
2. Role checks the user account mac against the passed Calling-Station-Id.
Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from Always to
Enter conditional expression.
return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject();
There is an alternative syntax where you keep the condition at Always and instead adjust the Value.
<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] : AccessReject()
or
<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject()

MAC-Based Derivation of Role

Depending on whether the MAC address matches a registered value, you can also adjust which role is returned. The
controller must be configured with the appropriate roles and the reply attributes mapping to them as expected.
Edit the Value of the attribute within the role returning the role to the controller.
If you are on the registered MAC, apply the Employee role, otherwise set them as Guest.
<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest'
Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Importing MAC Devices | 57