01-27-2015 06:50 AM
At this moment I configured 802.1x with a 2008 radius server to authenticate computers and users, which works fine. But non domain devices (like iPhones) can also authenticate to the wireless network as long as they provide a valid domain user account. Is there a way to configure this differently so users can only authenticate when theyre on a valid domain computer?
01-27-2015 06:51 AM - edited 01-27-2015 07:39 AM
You have 3 options:
1) Use enforce machine authentication in the controller
2) Utilize ClearPass Policy Manager for advanced device identity
3) Issue client certificates to domain devices via GPO and restrict connections to EAP-TLS.
01-27-2015 07:39 AM - edited 01-27-2015 07:41 AM
Hi Tim, thanks for your fast respone :)
I enabeld Enforce Machine Authentication in the relevant 802.1x auth profile, but I can still connect my iPhone as long as i provide a valid domain account. Any thoughts?
Edit: seems like we cross posted :) I will read the link you provided!
01-27-2015 09:01 AM
01-27-2015 01:07 PM
I wrote a post about this issue a few months back:
It's a more advanced config in Clearpass, but it allows you to do Computer and User auth at the same time.
Hope it helps!
01-28-2015 04:31 AM - edited 01-28-2015 07:28 AM
Thanks for all the info guys, I fixed it by enabling "Enforce Machine Authentication" and remove the user auth option from the radius server.
Edit: This isnt a workable situation tbh, I tested some more and if the Machine Auth expires (eg the laptop goes sleep) the user can't authenticate anymore and is denied network access.
I setup a Windows 2012 R2 NPS Server, this might provide me the options I require. Ill report back if I have more info))
02-02-2015 01:27 PM
I think I have a decent solution at the moment.
I created a policy on the NPS server thats only allows computers to authenticate and configured the wireless connection on the laptop to only attemp computer authentication.
In my first test I did not disable user auth in the 802.1x settings on the laptop, obviously this caused auth to fail as soon as the laptop would attemp user auth.
Does this implementation has any side effects im missing?