Security

Dear all,

il my network i have two ssid

1.- ssid : employees

                -machine authtication + user authentication

2.- ssid : directors

                - user autentication only.

the authentication of the first ssid is perfect

And I'm using only one NPS server for the two, the problem is that users from employee group with only "machine authentication" can access to the directors SSID , and they get the 802.1X authenticated role.

 

how can i do to fix that

Unfortunately,

 

NPS does not understand when a device has both machine + user authenticated successfully.  You cannot enforce that state with NPS.

 

You have two choices:

 

1.  Use a different server like ClearPass Policy Manager that keep track of the user + machine authentication status

 

2.  Use "Enforce Machine Authentication" in the 802.1x profile of the Aruba Controller.  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440

First thank you for the answer.

but my problem is with the second profile, the first profile do both authentication (user and machine) and it work perfectly , but for the second i want to use user authentication only, but when I connect to this profile (second) it do machine authentication what is and the user get 802.1X authenticated role and it is innormal .

The client controls what type of authentication is attempted. If you only want a client to do user authentication, you need to configure that on the client.

the probleme is not in aruba controller,but in  windows , because windows take the only the first authentication , so to do both authentication , you have to change manualy authentication from user authentication to machine authentication and vice-versa.

 

 

thank you for you help

 

 

Yes. This is by design. If you are using machine authentication then device is joined the domain so the expectation is that you will use group policy to configure the network settings to use both machine and user.

---

@cappalli wrote:
Yes. This is by design. If you are using machine authentication then device is joined the domain so the expectation is that you will use group policy to configure the network settings to use both machine and user.

---

in windows there is 4 choises

 

user or machine authentication

user authentication

machine authentication

guest authntication

 

and we have tray all of them

 

if you have any tutorial or how to please give it to me

For AD-joined devices., you would use user + machine.

rchahboune

 

If you select the "User or Machine authentication" this will be the login process for AD machines when configured as suggested above:

 

Windows boots into windows = "Machine Authenticated"

User then successfully logs in with his AD username/password = State moves to "User Authenticated"

 

With "Enforce Machine Authentication" on the Aruba Controller you will then land in the 802.1x default role for the AAA profile.

If just one of the authentications is successful, the role according to the .1x will trigger.

 

Check out page 251-253 of 6.4 User Guide.