Security

Reply
MVP
Posts: 330
Registered: ‎04-25-2013

802.1X machine authentication issue

Dear all,

il my network i have two ssid

1.- ssid : employees

                -machine authtication + user authentication

2.- ssid : directors

                - user autentication only.

the authentication of the first ssid is perfect

And I'm using only one NPS server for the two, the problem is that users from employee group with only "machine authentication" can access to the directors SSID , and they get the 802.1X authenticated role.

 

how can i do to fix that

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 20,810
Registered: ‎03-29-2007

Re: 802.1X machine authentication issue

Unfortunately,

 

NPS does not understand when a device has both machine + user authenticated successfully.  You cannot enforce that state with NPS.

 

You have two choices:

 

1.  Use a different server like ClearPass Policy Manager that keep track of the user + machine authentication status

 

2.  Use "Enforce Machine Authentication" in the 802.1x profile of the Aruba Controller.  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 330
Registered: ‎04-25-2013

Re: 802.1X machine authentication issue

First thank you for the answer.

but my problem is with the second profile, the first profile do both authentication (user and machine) and it work perfectly , but for the second i want to use user authentication only, but when I connect to this profile (second) it do machine authentication what is and the user get 802.1X authenticated role and it is innormal .

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 20,810
Registered: ‎03-29-2007

Re: 802.1X machine authentication issue

The client controls what type of authentication is attempted. If you only want a client to do user authentication, you need to configure that on the client.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 330
Registered: ‎04-25-2013

Re: 802.1X machine authentication issue

the probleme is not in aruba controller,but in  windows , because windows take the only the first authentication , so to do both authentication , you have to change manualy authentication from user authentication to machine authentication and vice-versa.

 

 

thank you for you help

 

 

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 8,333
Registered: ‎09-08-2010

Re: 802.1X machine authentication issue

Yes. This is by design. If you are using machine authentication then device is joined the domain so the expectation is that you will use group policy to configure the network settings to use both machine and user.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 330
Registered: ‎04-25-2013

Re: 802.1X machine authentication issue


cappalli wrote:
Yes. This is by design. If you are using machine authentication then device is joined the domain so the expectation is that you will use group policy to configure the network settings to use both machine and user.

in windows there is 4 choises

 

user or machine authentication

user authentication

machine authentication

guest authntication

 

and we have tray all of them

 

if you have any tutorial or how to please give it to me

Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Guru Elite
Posts: 8,333
Registered: ‎09-08-2010

Re: 802.1X machine authentication issue

For AD-joined devices., you would use user + machine.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 512
Registered: ‎05-11-2011

Re: 802.1X machine authentication issue

rchahboune

 

If you select the "User or Machine authentication" this will be the login process for AD machines when configured as suggested above:

 

Windows boots into windows = "Machine Authenticated"

User then successfully logs in with his AD username/password = State moves to "User Authenticated"

 

With "Enforce Machine Authentication" on the Aruba Controller you will then land in the 802.1x default role for the AAA profile.

If just one of the authentications is successful, the role according to the .1x will trigger.

 

Check out page 251-253 of 6.4 User Guide.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: