Skip to content

Aruba ClearPass

The RTA is a headless Linux appliance with no 802.1X supplicant, no domain membership, and no NAC agent. On a ClearPass-controlled network it will be denied, quarantined, or placed in a remediation VLAN with no egress — and will never reach the firewall.

Note

For general background on why NAC blocks RTAs and what the fix looks like across vendors, see the NAC overview and the full troubleshooting background.

The resolution is three steps: allowlist the appliance MAC address via MAC Authentication Bypass (MAB), map it to a VLAN/role with outbound internet access, and ensure posture checks are not required for the device.

1. Get the appliance MAC address

Obtain the MAC address the switch will actually learn from:

  • Hypervisor / cloud console — check the NIC settings for the RTA VM.
  • DHCP lease — look up the lease on your DHCP server for the appliance hostname or IP.

Hyper-V MAC spoofing

Hyper-V deployments enable MAC address spoofing on the appliance NIC. Confirm the MAC the upstream switch port learns (via show mac address-table on the switch) rather than relying solely on what Hyper-V reports in the VM settings.

Note the MAC in the format ClearPass expects (e.g., aa:bb:cc:dd:ee:ff or aabbccddeeff — ClearPass accepts both).

2. Allowlist the MAC address

You have two equivalent options in ClearPass Policy Manager:

Option A — Static Host List

  1. Go to Configuration > Identity > Static Host Lists.
  2. Click Add and create a new list (or append to an existing one).
  3. Set Format to MAC Address.
  4. Add the appliance MAC and save.

Option B — Endpoints repository

  1. Go to Configuration > Identity > Endpoints.
  2. Click Add or search for the MAC to update an existing record.
  3. Set Status to Known (or a custom value your enforcement rules match against).
  4. Save the endpoint record.

Either approach gives your enforcement policy a stable identity to match against.

3. MAC Authentication service and enforcement

Verify the MAC Authentication service

  1. Go to Configuration > Services.
  2. Confirm a service of Type: MAC Authentication is active and ordered to match requests from the relevant NAS/switch.
  3. If no suitable service exists, create one targeting the switch IP range and the correct NAS port type.

Enforcement Policy and Profile

  1. Go to Configuration > Enforcement > Policies and open (or create) the policy used by the MAC Authentication service.
  2. Add a rule that matches the appliance, for example:
Condition Attribute Operator Value
Endpoint Status EQUALS Known

— or, if using a Static Host List:

Condition Attribute Operator Value
Host Name MEMBER OF <your-static-host-list>
  1. Map that rule to an Enforcement Profile that returns the authorized VLAN (and optional Aruba user role) granting outbound internet access.

A typical RADIUS enforcement profile sends:

Tunnel-Type        = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = <vlan-id>

Optionally add an Aruba VSA (Aruba-User-Role) if your controller enforces roles rather than (or in addition to) VLAN tags.

4. Posture bypass

The RTA runs no OnGuard agent and cannot satisfy any health-check requirement. Ensure the MAC Authentication service and its enforcement do not have posture checks enabled:

  • In the service, confirm Posture Compliance is not configured (or is set to not apply to this service).
  • In the enforcement policy, verify there is no posture-health condition that would redirect the device to a quarantine VLAN or remediation profile.
  • If a separate posture enforcement profile exists as a fallback, ensure the MAC/endpoint match rule takes precedence and returns the authorized profile before any posture rule fires.

5. Verify

After saving, the change takes effect on the next authentication event. Bounce the switch port or send a RADIUS re-authentication to trigger it:

# On Aruba/HPE switch — force re-auth on the port the RTA is connected to
aaa port-access re-authenticate <port>

Then confirm:

  1. ClearPass Access Tracker (Monitoring > Live Monitoring > Access Tracker) — the latest request for the appliance MAC shows ACCEPT with the expected enforcement profile applied.
  2. Switch port VLAN — the port is assigned to the authorized VLAN (verify with show vlan port <port> or equivalent on your switch).
  3. DHCP lease — the appliance receives an IP in the expected subnet.
  4. Connectivity test — from a host on that segment, or directly on the appliance if you have console access, verify egress:
nc -vz connect.remotetesting.secureworks.com 443

A successful connection (Connection to connect.remotetesting.secureworks.com 443 port [tcp/https] succeeded) confirms the required outbound path is open and the RTA tunnel should come up.

MAC authentication security

MAB is based solely on MAC address, which can be spoofed. Scope the authorized VLAN to the minimum egress required (outbound TCP/443 only), and remove or disable the entry when the engagement ends.