ArubaOS and Controllers

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Enforcing Macinhe Authentication for some users but not for others

I have to authenticate two basic types of users. Staff and students.

For my students I want to enforce machine authentication to prevent them from bringing personally owned devices to school and connecting to the WLAN. Staff members however, need to be able to bring their personally owned laptops to work so enforcing machine authentication on these people is not an option.

I authenticate users against our domain using Microsoft IAS, my authentication is terminated on the controller so I will have to turn this off when I turn enforce machine auth on but after that, I'm not sre where to go.

I have different IAS remote access policies for staff and students and my assumption is that I should be able to return some sort of attribute to the controller which will trigger machine auth for students but not for staff.

I am at best a novice with Aruba OS so where to go from here is a bit of a question.
Can anyone give me some guidance on how to enforce machine authentication for one group of users and not the other.

Thanks.
Guru Elite
Posts: 21,021
Registered: ‎03-29-2007

Enforcing Machine Authentication


I have to authenticate two basic types of users. Staff and students.

For my students I want to enforce machine authentication to prevent them from bringing personally owned devices to school and connecting to the WLAN. Staff members however, need to be able to bring their personally owned laptops to work so enforcing machine authentication on these people is not an option.

I authenticate users against our domain using Microsoft IAS, my authentication is terminated on the controller so I will have to turn this off when I turn enforce machine auth on but after that, I'm not sre where to go.

I have different IAS remote access policies for staff and students and my assumption is that I should be able to return some sort of attribute to the controller which will trigger machine auth for students but not for staff.

I am at best a novice with Aruba OS so where to go from here is a bit of a question.
Can anyone give me some guidance on how to enforce machine authentication for one group of users and not the other.

Thanks.




Terry,

You can only turn "enforce machine authentication" on or off.. you cannot selectively enforce it for a subset of users.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 179
Registered: ‎08-29-2008

Re: Enforcing Macinhe Authentication for some users but not for others

You could create a Remote Access Policy in IAS which requires the laptop to have a Active Directory Object Group Membership, such as "Domain Computers" in "Windows-Groups matches."

Because the student home computers do not have a Domain Account, they will not authenticate. :D

The negative... you will have to add personal devices to the domain. :eek:
MVP
Posts: 289
Registered: ‎11-04-2008

Re: Enforcing Macinhe Authentication for some users but not for others

Terry,

You can do this with two virtual-ap, ESSIDs and vlans, (you don’t want students and staff in the same vlan,) therefore two different “aaa profile” and two different “aaa authentication dot1x” profiles

  • student-aaa-profile: enable enforce machine authentication in student aaa authentication dot1x profile
  • staff-aaa-profile: disable enforce machine authentication in staff aaa authentication dot1x profile

try “show profile-hierarchy” to see the how the profiles are stacking.

Good luck!
~Trinh Nguyen~
Boys Town
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: Enforcing Macinhe Authentication for some users but not for others


You could create a Remote Access Policy in IAS which requires the laptop to have a Active Directory Object Group Membership, such as "Domain Computers" in "Windows-Groups matches."

Because the student home computers do not have a Domain Account, they will not authenticate. :D

The negative... you will have to add personal devices to the domain. :eek:




This was actually my first attempt at it as it would also allow me to leave termination turned on. I set up 2 remote access policies, one for staff and one for students. basically the student policy looked like this.

NAS-Port type matches "Wireless" AND
Windows-group matches "Students" AND
Windows-group matches "Domain Computers" AND
Client-IP-Address matches ""

The problem is that IAS can't authenticate both the user and the computer as part of the same policy. I can have the windows-group match "Student" OR "Domain Computers" but not "Student" AND "Domain Computers". The problem is that the student User-Name (their student ID#) is not part of the Domain Computers Group so the policy does not match.

Using a remote access policy is my prefered method of doing this if someone could tell me how it can be done.
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: Enforcing Macinhe Authentication for some users but not for others


Terry,

You can do this with two virtual-ap, ESSIDs and vlans, (you don’t want students and staff in the same vlan,) therefore two different “aaa profile” and two different “aaa authentication dot1x” profiles


  • student-aaa-profile: enable enforce machine authentication in student aaa authentication dot1x profile
  • staff-aaa-profile: disable enforce machine authentication in staff aaa authentication dot1x profile

try “show profile-hierarchy” to see the how the profiles are stacking.

Good luck!





Thanks Trinh,

This might be an option.

/T
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

A solution (at least for me)

I have finally found a solution to this problem. While this solution is specific to my situation, I am posting it because others may be able to customize it for their own purposes.

I configured my IAS servers to send a "filter-ID" attribute back to the controller. Leaving Machine-Authentication turned off and using the "user-name" and "filter-ID" attributes I was able to configure a set of server derived user-roles that will effectively blacklist any student that uses a non corporate device while still allowing guest access for staff members that do the same.

Our AD has unique sub domains for staff and students. I noticed that when users logon with a valid domain computer, the "user-name" attribute (in my situation at least) will always start with the sub domain name ie. STAFF\tpelley. Combine this with the "filter-ID" and I was able to create the following.

aaa server-group "IAS"
auth-server IAS-01
auth-server IAS-02
set role condition User-Name starts-with "STAFF" set-value AD-Staff
set role condition Filter-Id equals "Staff" set-value Guest
set role condition User-Name starts-with "STUDENT" set-value AD-Student
set role condition Filter-Id equals "Students" set-value Blacklisted


Now we have to actually blacklist the users in the Blacklisted user-role. I created a session acl to do this and assigned it to the Blacklisted user role.

ip access-list session Blacklist-acl
any any any deny blacklist

user-role Blacklisted
session-acl Blacklist-acl


Perhaps not the most elegant of solutions, but it works and allows me to effectively enforce machine authentication on a per user-role basis. Hopefully this will help someone in a similar situation.
Search Airheads
Showing results for 
Search instead for 
Did you mean: