Enterprise Lockdown

Reply
New Contributor
Posts: 1
Registered: ‎10-15-2010

Client and Machine Auth

Is it possible in an Aruba wireless controller connected to a cisco ACS server to authenticate a machine (Windows) via a registry key and the user via AD through RADIUS?
What I am actually after is to only allow machines that are joined to the Domain access to the wireless network. After that check i want to use thier AD username and PW to authenticate them.
I would prefer not to use Certificates.

Thanks for any help.
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Enforce Machine Authentication

What you need is "Enforce Machine Authentication". Check that out in the Aruba Knowledgebase answerID 831. http://support.arubanetworks.com

Basically it assigns one role to devices that have successfully authenticated as a machine to the domain, and a separate role for devices whose user has successfully authenticated and a third role for devices that have passed both.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Client and Machine Auth


Is it possible in an Aruba wireless controller connected to a cisco ACS server to authenticate a machine (Windows) via a registry key and the user via AD through RADIUS?
What I am actually after is to only allow machines that are joined to the Domain access to the wireless network. After that check i want to use thier AD username and PW to authenticate them.
I would prefer not to use Certificates.

Thanks for any help.




I have this implemented for our RAP's and a few items to note:
1) The intel software breaks machine auth so make sure you remove Intel Proset Wireless software (Not the driver!) if you are using Intel Wireless cards. Really anything that can "manage" the wireless card even if it is set to use windows or is inactive seems to do this.

2) Evidently Cisco has some known issues with ACS servers "hanging" when the domain controller they are talking to goes down for maintenance or something similar. We are making the switch to Microsoft NPS because of this. Your environment might be more stable than ours though!

3) We created captive portals for various roles, so if they failed only machine auth they got one message, if they failed user auth they got another... This helped the user understand the problems and what they can do to resolve the issue. At worst it helped the help desk known which troubleshooting tree to start with based on the error message the user gets. One caveat with this, the Machine auth only role caused confusion with role assignments when a PC fell into that role so we had to remove it. This wasn't a huge issue since 99% of the errors have been User Auth only role. We use the captive portal to give the user instructions for properly configuring their laptop and it even hosts a basic exe (It is really just a script) that installs the right wired settings and a few other items we have found to be helpful. I would highly recommend to anyone doing this that they use the captive portals for instructions, we found it to be a huge help.

4) We are hitting a bug that Aruba is investigating for us where the computer auth is successful, then user auth is successful but less than a second later the station is dropped for an unknown reason (The error is something like unknown reason, I forget exactly) and they associate again in the computer role only. If the user flips the wireless radio they are back on with both roles without an issue or if they just wait a few minutes they are ok. I hope to have a resolution for this soon.

5) All Machine auth really does is cache the MAC address after a successful machine authentication against AD. The default age is 24 hours so users will need to reboot every 24 hours to stay on. We set our to 7 days so users have to reboot every 7 days. Since it caches the MAC address it is possible for someone to clone the MAC from a PC that did have a successful machine authentication and then only have to perform user auth. I was able to test this with my Linux laptop by cloning the MAC from my windows laptop and setting up PEAP in Network Manager. So I wouldn't think of machine auth as bullet proof to someone determined to get their personal asset on the network, but it will help. There is an option to handle EAP logouts, I plan on testing to see if this removes the machine auth when someone shuts down their PC. If you need something bullet proof I would look into NPS policies (We are looking at that now), they are rumored to be able to handle detailed checks.

I struggled with this for weeks so post here if you want to compare notes.
New Contributor
Posts: 2
Registered: ‎09-04-2009

Client and Machine Auth Problems in windows

From testing in an enterprise situation we found client and machine authentication works but with a few caveats which is why we went to machine only authentication.

The way machine and client authentication works is, a machine first authenticates to the aruba controller at the windows login screen, once this has happened it adds the machines mac-address to the internal database with a lifetime equal to the authentication timeout value. Then when the user authenticates it checks to see if the mac is in the table and then allows the user on if it is.

This leads to a number of issues, in our environment a user could get on just by sniffing the wire, looking for a connected mac, and then spoofing the mac to get connected, or alternatively use their own known mac to then connect a personal ipod or similar.

Basically the windows 802.1x stack and the wireless standard doesn't support dual identies for login so it can't check both at the same time (machine and user)

If you absolutely need to ensure no unauthorized machines get on, your best bet is machine only authentication, preferably tied into EAP-TLS certificates and then use NTLM login snooping to find out what user is connected.

Thats just my 2 cents.
Search Airheads
Showing results for 
Search instead for 
Did you mean: