- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Machine & User Authentication - iPhones getting online
Machine & User Authentication - iPhones getting online
05-15-2009 02:47 AM
I've setup the system to authenticate machines against Active Directory (checking that the machine account is part of the Wireless Devices security group). On success the machine is placed into the 'computer' role. When a user logs on their credentials are checked against AD and if they're a domain user they are granted access and transitioned to the employee role.
However on devices (including iPhones) the machine may fail authentication but once at a stage where it passes user credentials (at the windows desktop in the case of laptops) it will pass authentication and gain access to the network.
I'm not sure how I can prevent this from happening? I considered policy matching both the laptop and user, however to my knowledge the device never sends both sets of credentials. It will send machine credentials only in the absence of user credentials. I want to control what devices and what users can connect. Below are some excerpts from our configuration:
aaa authentication dot1x "phnt-dot1x"
machine-authentication enable
machine-authentication machine-default-role "computer"
machine-authentication user-default-role "phtemployee"
aaa profile "phnt-auth-dot1x"
authentication-dot1x "phnt-dot1x"
dot1x-default-role "phtemployee"
dot1x-server-group "pht-auth-dot1x"
no wired-to-wireless-roam
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Enforce Machine Authentication
Enforce Machine Authentication
05-15-2009 06:37 AM
The key is the role that is in the "machine-authentication user-default-role" parameter. That determines what role a device will get if it never passed machine authentication, BUT passed user authentication. That would be iphones, Blackberries, Apple Macs, etc. You could make this role a role that has no firewall policies to block this type of device, entirely. You could alternatively make this role your guest authenticated role-- This would make it so that any of your employees who have valid credentials, but did not pass machine authentication, will have secure, encrypted internet. This would give you additional visibility, as well. The only detail is that the guest authenticated role MUST have a VLAN hardcoded in it so that not only will these consumer devices get the correct policies, but be switched to the correct guest VLAN, and out to the internet.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Machine & User Authentication - iPhones getting online
Re: Machine & User Authentication - iPhones getting online
05-15-2009 07:12 AM
Edit:
Having tested this however its not working quite as intended. Machines are correctly authenticating and the logs show the derived role as 'computer' but they're ending in the default machine role (currently set to guest-logon). Its like the system is ignoring the class value passed from the radius server and setting the default role instead.
host/A30383.derriford.phnt.swest.nhs.uk guest-logon 00:02:04 8021x-Machine
May 15 15:59:05 :522039:|authmgr| MAC=00:1c:bf:72:48:62 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=PICTS118
May 15 15:59:05 :522017:|authmgr| MAC=00:1c:bf:72:48:62 IP=0.0.0.0 Derived role 'computer' from server rules: server-group=pht-auth-dot1x, authentication=8021x-Machine
May 15 15:59:05 :522029:|authmgr| MAC=00:1c:bf:72:48:62 Station authenticated: method=8021x-Machine, role=guest-logon, VLAN=60/60/0
May 15 15:59:05 :522008:|authmgr| User authenticated: Name=host/A30383.derriford.phnt.swest.nhs.uk MAC=00:1c:bf:72:48:62 IP=10.177.60.77 method=8021x-Machine server=PICTS118 role=guest-logon
aaa server-group "pht-auth-dot1x"
auth-server PICTS118
auth-server PICTS120
set role condition class equals "computer" set-value computer
set role condition class equals "phtemployee" set-value phtemployee
aaa authentication dot1x "phnt-dot1x"
max-authentication-failures 5
machine-authentication enable
machine-authentication machine-default-role "guest-logon"
machine-authentication user-default-role "phtemployee"
reauth-max 10
Doh!! Just read some of the manual :) I realise now that the machine default role is the one which will apply if the user only passes machine auth. I just assumed the class option and rule derivation would override this. I'll leave this post here as some sort of lesson for others.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Machine Authentication
Machine Authentication
05-15-2009 09:35 AM
If a user passes BOTH machine AND client authentication, then the rules under the server group will apply. If users pass one OR the other, those rules under the server group do NOT come into play. By the way your machine-authentication machine-default-role should be something like "allow all" to permit it to do all that "domain stuff" behind the scenes. This will also allow the user who logs into it to get a login script, etc.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Machine & User Authentication - iPhones getting online
Re: Machine & User Authentication - iPhones getting online
05-18-2009 03:35 AM
aaa authentication dot1x "phnt-dot1x"
max-authentication-failures 5
machine-authentication enable
machine-authentication machine-default-role "computer"
machine-authentication user-default-role "guest-logon"
reauth-max 10
aaa server-group "pht-auth-dot1x"
auth-server PICTS118
auth-server PICTS120
set role condition class equals "computer" set-value computer
set role condition class equals "phtemployee" set-value phtemployee
I'm noticing however that some legitimate domain laptops and users are ending up in the guest-logon role despite the fact that their machine passes the conditions set for machine auth. I'm running some user debugs to find out what's happening.
Edit:
I've got one particular user in guest-logon. Searching back through the IAS logs for this machines MAC/Calling Identifier I've discovered that the machine authenticated a full day earlier, around 7.10am. The user authenticated around 11am and remained logged in. I believe the machine auth timeout hit 24 hours and the user transitioned to the guest-logon role because the machine was no longer authenticated but the user was.
Other than increase the machine auth time out is there any other way to work around this issue? I think we have a lot of users leaving themselves logged on longer than 24 hours despite what we tell them to do.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Machine & User Authentication - iPhones getting online
Re: Machine & User Authentication - iPhones getting online
05-18-2009 06:05 AM
We also have the same issue at our locations. Machine authentication only seems to occur prior to logon, so if the user does not have the machine on the wireless network in this condition then the STA will be classified as 802.1x-User. I have also considered extending the 24 hour machine cache, but some of our users only use the wireless network upon undocking and never reach a point where machine authentication occurs. We have yet to find a reliable method to block iPhones and other consumer grade gear from logging on to the wireless network. We are researching a NAC solution but if anyone has had success with any other methods, I would be glad to hear them.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Extending Machine Authentication Cache
Extending Machine Authentication Cache
05-18-2009 08:31 PM
The machine authentication cache timer is there because no two users or organizations have cultures that are the same. Some companies, users logoff and login religiously every 24 hours. Other organizations, users do it much less frequently. You need to tune this timer to that upper limit. Some people say that users will just try to spoof MAC addresses to get on, but it is very difficult for most consumer devices to change their MAC addresses, if impossible. In addition, it is difficult to be on the controller at the same time as another user with the same mac address.
If you are truly paranoid (nothing wrong with that) and want to do something like tie a mac address to a particular user in AD, the link below will allow you to do that:
http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Machine & User Authentication - iPhones getting online
Re: Machine & User Authentication - iPhones getting online
05-20-2009 08:45 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Machine & User Authentication - iPhones getting online
Re: Machine & User Authentication - iPhones getting online
03-15-2010 07:20 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Machine & User Authentication - iPhones getting online
Re: Machine & User Authentication - iPhones getting online
03-15-2010 03:58 PM
-awl
Director, Strategic Account Solutions
Aruba Networks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator