12-02-2010 10:20 AM
My aim: to 802.1x authenticate machines and users when they connect to our wireless network to prevent them being able to enter their AD credentials into iphones and gain access to the network.
Reading the Aruba OS 3.4.2 manual it suggests that the above is possible as do many other forum threads but try as I might I can't seem to get it to work.
Firstly perhaps somebody could explain what the "force machine authentication" box in my 802.1x profile means and does. I have assumed that with this enabled when a connection is made to the aruba SSID that a request is made to Radius to validate the machine before then authenticating the user during logon. I have been able to get an 802.1x machine role when using EAP-TLS and a computer certificate and an 802.1x user role when using PEAP MSCHAPv2. I just can't seem to get both user and machine validated and be given the correct role.
It is almost as though when my test AD user logs on to the wireless network only one authentication pass is made to the server.
Do I need to enable MAC Authentiation as well or is this soley for check MAC addresses against a list such as my Internal DB. From what I have read I don't think that this will help me authenticate my machines against an AD group?
We have a Windows 2003 server environment with XP SP2 workstations and use Steel-Belted-Radius for our Radius server.
If someone has successfully implemented the above and wouldn't mind sharing how they did it I would be ever so grateful. Many thanks, Andy
Solved! Go to Solution.
12-02-2010 02:57 PM
The way the "enforce machine auth" auth works is by keeping track of which machines (by mac address) have successfully passed 802.1x with their machine credentials (for AD this is their computer name/account) and applying a role derivation scheme that takes this into consideration when they pass 802.1x authentication with their user credentials. The important thing to note here is that the computer will only do one OR the other based on the state of the user being logged in or not, NOT both at the same time. For example in XP using PEAP, if "Authenticate as computer when computer information is available" checkbox is set in the Authentication tab of your Wireless setting, the computer will do the following:
- If user logged of or during a reboot before a user logs on computer will auth with its computer name against AD with the SID that was assigned when the computer was joined to the domain
- Once user logs onto Windows, the computer will log off the computer via 802.1x and authenticate as the user via 802.1x
- If the user logs off, the computer will log off the user via 802.1x and log on with the computer account again.
So, the Aruba will see "host/computer-name.domain" authenticate when the computer uses its account and will mark this as this being a valid domain PC. We will keep track of this in the internal database of the controller and put the machine in the "default machine role" defined in the dot1x-profile. Once we see the user log on as "domain/user" we will switch the user to the 802.1x default-role IF the same machine passed machine auth previously or place it in the "default user role" if it did not.
So, what this means is, to place iPhones and the like in a separate role from domain devices when users use the same credentials, you would set the roles up as follows:
- Default-Machine-Role = Whatever you want a computer with no user logged into it to have access to. I would suggest allowing communication to the domain controller, DHCP, DNS, and the like so that when the user does log on, they can run scripts and the like.
- Default-User-Role = Role for NON domain devices with domain users
- Default-Dot1x-Role = Role for domain devices with domain users
The matrix above only gets kicked in if "enforce machine auth" is enabled, otherwise any successful 802.1x auth will be placed in the 802.1x default role.
One caveat is that you have to be aware of the cache period that we keep track of the valid domain machines for. By default this is 24 hours. So, lets say that you are already logged onto your computer as your user and you walk into the building and the computer logs onto the network with your user credentials (since you are logged on), if this is past the 24 hour period that the system last saw that device log on as a computer, you will be treated as a non-domain device until you log off from Windows and log back on.
Hope that helps.
12-02-2010 11:10 PM
One quick question though how do you keep track of valid domain PCs in your Internal Database? Does this happen automatically or do I have to configure something on the Aruba Controller.
The other thing I am still a little fuzzy on is the PEAP 802.1x method I should be using. Do you use PEAP EAP-MS-CHAPv2 in your environment or PEAP EAP-TLS?
I can't seem to work out from reading Microsoft documentation if PEAP EAP-MS-CHAPv2 will authenticate computers or not. I have managed to get it to authenticate users fine based on their AD credentials but wasn't sure how to get it to do the computer as well before a user logged on.
When trying to setup PEAP EAP-TLS there only seems to be the option in my wireless network configuration settings to use a computer certificate or a user certificate for authentication. This is suggests that I do need to use the MS-CHAPv2 method?
Your last couple of paragraphs referring to my iphone example were very clear and have helped reinforce my understanding of that area nicely. So thank you again.
If I can just get my selection and configuration of my 802.1x authentication method correct now along with appropriate wireless client settings sorted I think I am there.
12-03-2010 09:58 AM
"One quick question though how do you keep track of valid domain PCs in your Internal Database?"
The way this is done is that the devices macaddr is dynamically added to the internal database when a device passes 802.1x auth with their computer name/account. This cache is queried each time we see a 802.1x with a user account. This cache is flushed per the caching period set in the dot1x profile.
"Do you use PEAP EAP-MS-CHAPv2 in your environment or PEAP EAP-TLS?"
This works with both I believe, but much easier to implement with EAP-PEAP since I don't have to issue certificates for each machine and each user.
"I can't seem to work out from reading Microsoft documentation if PEAP EAP-MS-CHAPv2 will authenticate computers or not."
Assuming you are using the native Windows Wireless Utility, under your wireless settings is a checkbox to "Authenticate as computer when computer information is available". This should be on the Authentication tab, under where you set PEAP and the like. So, select PEAP, and then check this box.
You must also ensure that Radius is setup to allow your computer accounts to authenticate. This should be an allowed group in your Radius policy. Are you using IAS Radius? I did not get any hint at Radius below. You should note that the EAP-Termination feature does not support machine authentication. You must disable that and use and external radius server like IAS.
12-06-2010 10:24 AM
Thanks again for your help. Nearly there now :-)
I can see machine authentication entries in my Internal DB now and I can authenticate users via MSCHAPv2 getting the correct AAA role for successful machine and user authentication.
I just need to change this now so that the users authenticate using their own certificate to meet our security requirements.
We are using Steel Belted Radius as our Radius server and I have made sure that we don't have the Termination box ticked on our Aruba Controller.