Security

I’m looking for some advise on something: how do companies that run 802.1x on an Active Directory domain handle initial logins out at the workstation?  It seems impossible if you don’t already have a profile.  It's a total chicken/egg problem.  We have on-boarding static ports in our helpdesk area, so we can handle things for a while… but we’ll want a solution for doing initial logins out and about.  Like if there's a desktop and we want a new user to login, we can't do that because it doesn't have access to the right networks until post-login.

 

This exact issue is also causing havoc on computer policies that are intended to run right at login.

 

thanks

This is done with Windows machine authentication. The computer logs into the network with the computer account at the login screen.. Once a user logs in, it switches to the user's credentials.

Sent from Nine<>

If these are Windows domain workstations you can deploy a group policy to enable the Wired Auth Windows service and also to configure the wired profile to do Computer or User authentication .

When you enable computer auth it allows you to do Machine authentication before the user login .

What are you using for RADIUS ?

Sent from Outlook for iPhone

Ahhhh... okay.  That makes total sense.  I wonder how much I'd have to tweak my CPPM policy to allow machine auth.  I'll start doing some research.  Not sure if it can be added to my already working user-auth service or if it's a new service.

 

My wired services looks like this ATM:

Not a lot of work on the ClearPass of it is already joined to the domain
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471

https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx


Sent from Outlook for iPhone

Just add tips role equals [Machine Authenticated] and your access policy.

Sent from Nine<>

I'm just a bit confused because the computer is sending it's MAC address and falling into my EAP-MD5 static-host-list rules.  I expected it to be sending the computer's name.

 

Are you doing Mac bypass on your switch ?



Sent from Outlook for iPhone

You should separate those out into two services.

Is the client configured correctly?

Sent from Nine<>

Yeah, totally.  I'll make it two services.  If machine-auth, let it into my "walled garden" VLAN that can just hit AD and ClearPass... allowing me to do "on-net" logins.  Then once it gets into Windows it should flip over to user-auth, at least that's my understanding of this all.  Not sure if I'd have to do a CoA?

 

My switch 802.1x config looks like such:

authenticator {
authentication-profile-name ClearPass;
interface {
User-Access {
supplicant multiple;
transmit-period 5;
mac-radius;
reauthentication 600;
server-timeout 3;
maximum-requests 3;
guest-vlan CP-INITIAL;
server-fail use-cache;
}
}
}

Are you doing Mac authentication for other devices ?

I looks like you do "Mac-radius"

The question is why is the MAC address in the SHL for your domain device ? What should happen is that once your device fails Mac auth it should switch to 802.1x or viceversa
https://www.juniper.net/techpubs/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf



Sent from Outlook for iPhone

Yes, it's how we do our phones.

Follow the instructions on the link I posted earlier

Sent from Outlook for iPhone

Odd.... CPPM enforcement looks perfect, it's getting a VLAN with machine auth, but it won't do anything.  Can't ping gateway.

 

root@ZZZ-TR1-CAS-VC> show dot1x interface ge-2/0/23 detail
ge-2/0/23.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 5 seconds
Mac Radius: Enabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 600 seconds
Supplicant timeout: 30 seconds
Server timeout: 3 seconds
Maximum EAPOL requests: 3
Guest VLAN member: not configured
Number of connected supplicants: 1
Supplicant: f8b156d2eZZZ, F8:B1:56:D2:EZ:ZZ
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Mac Radius
Authenticated VLAN: CP-INITIAL
Session Reauth interval: 600 seconds
Reauthentication due in 580 seconds

 

==============================

Can you use this command : run show dot1x interface

Sent from Outlook for iPhone