Security, WIDS/WIPS and Aruba ECS

jlscott · ‎05-15-2009

I've discovered a worrying issue on our system whereby iPhone users are able to authenticate to our PEAP secured SSID using their domain credentials.

I've setup the system to authenticate machines against Active Directory (checking that the machine account is part of the Wireless Devices security group). On success the machine is placed into the 'computer' role. When a user logs on their credentials are checked against AD and if they're a domain user they are granted access and transitioned to the employee role.

However on devices (including iPhones) the machine may fail authentication but once at a stage where it passes user credentials (at the windows desktop in the case of laptops) it will pass authentication and gain access to the network.

I'm not sure how I can prevent this from happening? I considered policy matching both the laptop and user, however to my knowledge the device never sends both sets of credentials. It will send machine credentials only in the absence of user credentials. I want to control what devices and what users can connect. Below are some excerpts from our configuration:

aaa authentication dot1x "phnt-dot1x"
machine-authentication enable
machine-authentication machine-default-role "computer"
machine-authentication user-default-role "phtemployee"

aaa profile "phnt-auth-dot1x"
authentication-dot1x "phnt-dot1x"
dot1x-default-role "phtemployee"
dot1x-server-group "pht-auth-dot1x"
no wired-to-wireless-roam

cjoseph · ‎05-15-2009

Jason,

The key is the role that is in the "machine-authentication user-default-role" parameter. That determines what role a device will get if it never passed machine authentication, BUT passed user authentication. That would be iphones, Blackberries, Apple Macs, etc. You could make this role a role that has no firewall policies to block this type of device, entirely. You could alternatively make this role your guest authenticated role-- This would make it so that any of your employees who have valid credentials, but did not pass machine authentication, will have secure, encrypted internet. This would give you additional visibility, as well. The only detail is that the guest authenticated role MUST have a VLAN hardcoded in it so that not only will these consumer devices get the correct policies, but be switched to the correct guest VLAN, and out to the internet.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

jlscott · ‎05-15-2009

Ah thanks again for the clarification. I recall reading this but it can be confusing logic sometimes! :)

Edit:

Having tested this however its not working quite as intended. Machines are correctly authenticating and the logs show the derived role as 'computer' but they're ending in the default machine role (currently set to guest-logon). Its like the system is ignoring the class value passed from the radius server and setting the default role instead.

host/A30383.derriford.phnt.swest.nhs.uk guest-logon 00:02:04 8021x-Machine

May 15 15:59:05 :522039: |authmgr| MAC=00:1c:bf:72:48:62 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=PICTS118
May 15 15:59:05 :522017: |authmgr| MAC=00:1c:bf:72:48:62 IP=0.0.0.0 Derived role 'computer' from server rules: server-group=pht-auth-dot1x, authentication=8021x-Machine
May 15 15:59:05 :522029: |authmgr| MAC=00:1c:bf:72:48:62 Station authenticated: method=8021x-Machine, role=guest-logon, VLAN=60/60/0
May 15 15:59:05 :522008: |authmgr| User authenticated: Name=host/A30383.derriford.phnt.swest.nhs.uk MAC=00:1c:bf:72:48:62 IP=10.177.60.77 method=8021x-Machine server=PICTS118 role=guest-logon

aaa server-group "pht-auth-dot1x"
auth-server PICTS118
auth-server PICTS120
set role condition class equals "computer" set-value computer
set role condition class equals "phtemployee" set-value phtemployee

aaa authentication dot1x "phnt-dot1x"
max-authentication-failures 5
machine-authentication enable
machine-authentication machine-default-role "guest-logon"
machine-authentication user-default-role "phtemployee"
reauth-max 10

Doh!! Just read some of the manual :) I realise now that the machine default role is the one which will apply if the user only passes machine auth. I just assumed the class option and rule derivation would override this. I'll leave this post here as some sort of lesson for others.

cjoseph · ‎05-15-2009

Jason,

If a user passes BOTH machine AND client authentication, then the rules under the server group will apply. If users pass one OR the other, those rules under the server group do NOT come into play. By the way your machine-authentication machine-default-role should be something like "allow all" to permit it to do all that "domain stuff" behind the scenes. This will also allow the user who logs into it to get a login script, etc.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

jlscott · ‎05-18-2009

Its now set as follows:

aaa authentication dot1x "phnt-dot1x"
max-authentication-failures 5
machine-authentication enable
machine-authentication machine-default-role "computer"
machine-authentication user-default-role "guest-logon"
reauth-max 10

aaa server-group "pht-auth-dot1x"
auth-server PICTS118
auth-server PICTS120
set role condition class equals "computer" set-value computer
set role condition class equals "phtemployee" set-value phtemployee

I'm noticing however that some legitimate domain laptops and users are ending up in the guest-logon role despite the fact that their machine passes the conditions set for machine auth. I'm running some user debugs to find out what's happening.

Edit:

I've got one particular user in guest-logon. Searching back through the IAS logs for this machines MAC/Calling Identifier I've discovered that the machine authenticated a full day earlier, around 7.10am. The user authenticated around 11am and remained logged in. I believe the machine auth timeout hit 24 hours and the user transitioned to the guest-logon role because the machine was no longer authenticated but the user was.

Other than increase the machine auth time out is there any other way to work around this issue? I think we have a lot of users leaving themselves logged on longer than 24 hours despite what we tell them to do.

jrobson · ‎05-18-2009

Jason,

We also have the same issue at our locations. Machine authentication only seems to occur prior to logon, so if the user does not have the machine on the wireless network in this condition then the STA will be classified as 802.1x-User. I have also considered extending the 24 hour machine cache, but some of our users only use the wireless network upon undocking and never reach a point where machine authentication occurs. We have yet to find a reliable method to block iPhones and other consumer grade gear from logging on to the wireless network. We are researching a NAC solution but if anyone has had success with any other methods, I would be glad to hear them.

cjoseph · ‎05-18-2009

Gentlemen,

The machine authentication cache timer is there because no two users or organizations have cultures that are the same. Some companies, users logoff and login religiously every 24 hours. Other organizations, users do it much less frequently. You need to tune this timer to that upper limit. Some people say that users will just try to spoof MAC addresses to get on, but it is very difficult for most consumer devices to change their MAC addresses, if impossible. In addition, it is difficult to be on the controller at the same time as another user with the same mac address.

If you are truly paranoid (nothing wrong with that) and want to do something like tie a mac address to a particular user in AD, the link below will allow you to do that:

http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************

jlscott · ‎05-20-2009

Thanks Colin. I've tuned ours to 72 hours but looking to our systems team to tweak group policies to force a maximum logon time. If users end up in the incorrect role because they've stayed logged on too long then hopefully it will teach them to alter their behaviour :)

DanStanford · ‎03-15-2010

I wonder if using certificates is another way to control which devices connect? Is anyone using this successfuly?

awl · ‎03-15-2010

Switching to EAP-TLS will work, but remember that you need the infrastructure in place to produce the certificates and to load them on every device. There are some very large organizations that do this, but it is not a trivial exercise to deploy certificates to every machine in your organization.

-awl

Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks

Security, WIDS/WIPS and Aruba ECS

Machine & User Authentication - iPhones getting online

Machine & User Authentication - iPhones getting online

Enforce Machine Authentication

Enforce Machine Authentication

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Machine Authentication

Machine Authentication

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Extending Machine Authentication Cache

Extending Machine Authentication Cache

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Re: Machine & User Authentication - iPhones getting online

Follow Us