Security

Reply
Contributor II
Posts: 73
Registered: ‎03-07-2011

802.1x auth and non-domain joined devices

At this moment I configured 802.1x with a 2008 radius server to authenticate computers and users, which works fine. But non domain devices (like iPhones) can also authenticate to the wireless network as long as they provide a valid domain user account. Is there a way to configure this differently so users can only authenticate when theyre on a valid domain computer?

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: 802.1x auth and non-domain joined devices

[ Edited ]

You have 3 options:

 

1)  Use enforce machine authentication in the controller

 

http://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm?Highlight="machine authentication"

 

2) Utilize ClearPass Policy Manager for advanced device identity

 

3) Issue client certificates to domain devices via GPO and restrict connections to EAP-TLS.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 73
Registered: ‎03-07-2011

Re: 802.1x auth and non-domain joined devices

[ Edited ]

Hi Tim, thanks for your fast respone :)

 

I enabeld Enforce Machine Authentication in the relevant 802.1x auth profile, but I can still connect my iPhone as long as i provide a valid domain account. Any thoughts?

 

Edit: seems like we cross posted :) I will read the link you provided!

Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: 802.1x auth and non-domain joined devices

In windows nps creat one policy with machine only rule. and assigned that to the controller.

 

rad.jpg

 

make sure that your req is hitting correct policy..

HTH
Cheers
SumaN
Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: 802.1x auth and non-domain joined devices

That won't always work because if a user authenticates on an AD-joined
machine, it will fail authentication.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor II
Posts: 226
Registered: ‎10-29-2014

Re: 802.1x auth and non-domain joined devices

Yeah that's right.

it'll enable machine authentication only. user auth will not work.

 

 

HTH
Cheers
SumaN
MVP
Posts: 371
Registered: ‎01-14-2010

Re: 802.1x auth and non-domain joined devices

Hi Enveekaa,

 

I wrote a post about this issue a few months back:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/m-p/208471/highlight/true#M15856

 

It's a more advanced config in Clearpass, but it allows you to do Computer and User auth at the same time.

 

Hope it helps!

 

-Mike

Contributor II
Posts: 73
Registered: ‎03-07-2011

Re: 802.1x auth and non-domain joined devices

[ Edited ]

Thanks for all the info guys, I fixed it by enabling "Enforce Machine Authentication" and remove the user auth option from the radius server.

 

Edit: This isnt a workable situation tbh, I tested some more and if the Machine Auth expires (eg the laptop goes sleep) the user can't authenticate anymore and is denied network access.

 

I setup a Windows 2012 R2 NPS Server, this might provide me the options I require. Ill report back if I  have more info))

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: 802.1x auth and non-domain joined devices

Going the cert route is probably your best bet. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 73
Registered: ‎03-07-2011

Re: 802.1x auth and non-domain joined devices

I think I have a decent solution at the moment.

 

I created a policy on the NPS server thats only allows computers to authenticate and configured the wireless connection on the laptop to only attemp computer authentication.

 

In my first test I did not disable user auth in the 802.1x settings on the laptop, obviously this caused auth to fail as soon as the laptop would attemp user auth.

 

Does this implementation has any side effects im missing? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: