Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

This thread has been viewed 7 times

  • 1.  802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

    Posted Mar 01, 2012 12:02 PM

    Situation:

     

    I need to get Machine Authentication working properly over wireless for a small subset of my clients to work properly.  We use WPA2 Enterprise authentication, and these clients are usually failing on boot with an error that they can't reach an AD server.

     

    Hardware:

     

    Aruba 3600 Controller (ArubaOS 5.0.3.3) - I do NOT have the PEF module

    Aruba AP105 Access Points

    Microsoft Windows 2008R2 NPS Server

    Microsoft Windows 7 Enterprise Client

     

    ==================================

     

    These things seem to randomly decide when they want to work.  Sometimes you'll boot and it will authenticate a non-cached user with no issue.  Others will fail miserably.  In the few things I've seen on the forums that have matched my situation, it looks like most everyone has the PEF-NG module, so I'm hoping this is not a requirement to allow machine auth.

     

    Has anyone got this working?  It seems like voodoo magic to me at the moment... but I'm not an AD guy at all :-)


    #3600


  • 2.  RE: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS
    Best Answer

    Posted Mar 01, 2012 05:53 PM

    PEF-NG is not required for machine authentication.  Having PEF-NG would allow you to place clients into different roles (with unique firewall policies) based upon AD security groups and to prevent users from connecting to your network with non-domain devices among other things.

     

    Check the following:

     

    1) Ensure that Termination is disabled in the 802.1X authentication profile

    2) Verify that the remote access policy on NPS includes authentication from Domain Computers

    3) Verify that the clients are configured to authenticate with machine credentials

    4) Verify that the client has the public cert for the CA which issued a cert to the RADIUS server

     

    If things still are not working, look at the NPS logs in event viewer and see what reason is given for clients that are rejected. 



  • 3.  RE: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

    Posted Mar 02, 2012 02:04 PM
    @xdrewpjx wrote:

     

    Check the following:

     

    1) Ensure that Termination is disabled in the 802.1X authentication profile

    2) Verify that the remote access policy on NPS includes authentication from Domain Computers

    3) Verify that the clients are configured to authenticate with machine credentials

    4) Verify that the client has the public cert for the CA which issued a cert to the RADIUS server

    I'm betting my problem is #2 here.  Not being an AD guy with control over these things, I'm betting my NPS admin never set this up.  I'll follow up with my findings!



  • 4.  RE: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

    Posted Mar 08, 2012 03:49 PM

    Sort of all of the above here.  We're up and running now though!



  • 5.  RE: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

    Posted Mar 02, 2012 06:52 AM
      |   view attached

    Go through This Document . In my organisation also we did the same but we are having the PEF license.