Security

Reply
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

AD Account Restricted to a Workstation in Active Directory failing auth

We are having an issue with a valid Active Directory user account, that has a restriction in AD to only allow a login to come from a specific workstation.  Our dot1x Windows configuration does Computer & User authentication.  The Computer (Machine) authentication works perfectly fine and the computer is able to machine auth correctly and join the network.  When the user logs in with a machine restricted account, they receive a reject message and are unable to join the network.  It appears the that ClearPass is not sending the entire auth message to AD in this case and thus failing auth, because the workstation ID is not passed with the RADIUS auth.  I have attached the ClearPass Alerts tab.  Has anyone seen this issue and is there a work around in the 802.1x Sertvice in Clearpass that can handle workstation restricted accounts.

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: AD Account Restricted to a Workstation in Active Directory failing auth

What do you mean by this " When the user logs in with a machine restricted account" ?

Did you recently added this account in AD ? if you did try clearing the cache under the AD authentication source.

In access tracker under Input > Authorization Attributes , do you see the user information there ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: AD Account Restricted to a Workstation in Active Directory failing auth

Hi Victor,

 

A machine restricted account is an AD user account that is only allowed to log into a specific windows machine that is registered in AD.  If the user tries logging into a different machine with this account they will be rejected by AD.  This is not a new Account it has been around for years. 

 

In Access Tracker, Input tab, no Authorization Attributes show up with this type of account.  See attachment.

 

Question:  when ClearPass queries AD to valiudate the user account, does it send workstation attributes with the request, or is that stripped out of the query?

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: AD Account Restricted to a Workstation in Active Directory failing auth

Question: when ClearPass queries AD to valiudate the user account, does it send workstation attributes with the request, or is that stripped out of the query?
Not when is doing User auth

This probably not going to work the way you are doing it.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: AD Account Restricted to a Workstation in Active Directory failing auth

You need to add the ClearPass computer accounts to the users allowed logon workstations. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: AD Account Restricted to a Workstation in Active Directory failing auth

[ Edited ]

Try doing this instead:

 

- First you need to tag with a custom attribute when the laptop does Machine auth

2015-10-12 09_25_17-ClearPass Policy Manager - Aruba Networks.png

 

- Then create a ClearPass post auth enforcement profile using that attribute2015-10-12 09_26_48-ClearPass Policy Manager - Aruba Networks.png

 

- Then use this attribute when the laptop perform machine auth , make sure to put this at the top of your rules so it is apply

2015-10-12 09_28_35-ClearPass Policy Manager - Aruba Networks.png

- Then in your user auth make sure to add a rule that allows only access when the user is using that laptop

2015-10-12 09_30_26-ClearPass Policy Manager - Aruba Networks.png

 

Note: Make sure that in the other rules you include something like this:

2015-10-12 09_41_38-ClearPass Policy Manager - Aruba Networks.png

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: AD Account Restricted to a Workstation in Active Directory failing auth

Victor,

 

We already have been using a custom attribute to valudate machine auth, like you defined below.  I don't believe this wiull solve the fundamental problem.  The problem being that when the user auths, ClearPass only sends the user info to AD and not the workstation ID, so AD will always reject the request.  AD is expecting to see the user ID and the workstation ID in the request.  Is there any way to solve this?

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: AD Account Restricted to a Workstation in Active Directory failing auth

Try tim's suggestion:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-Auth-fails-when-account-logon-is-limited-to-specific/td-p/126217

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 62
Registered: ‎12-02-2014

Re: AD Account Restricted to a Workstation in Active Directory failing auth

Hi Victor, that would work, but then it give the user ID the ability to login from any workstation, making that account have no workstation restrictions.  We could just removed the workstation restrictions in AD and get the same result.  I am thinking this is not going to be possible.  One idea is that we only have thie workstation do machine (computer) auth only fomr Windows.  No User auth would be generated.  This would allow the machine to auth and be on the network.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: AD Account Restricted to a Workstation in Active Directory failing auth

Keep in mind the network auth is separate from the actual domain authentication. Allowing the ClearPass account simply allows that account to authenticate using ClearPass. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: