01-23-2013 11:29 AM
We are trying to deploy a new network which requires some form or two factor authentication. By this i mean that the network needs to validate both the machine and the user who is on it. The machine has a device certificate as well as when each user logs in they have a personal certificate.
We have tried to do this via Computer Authentication but this requires that the user logout or lock the machine for some time for this to trigger, and then log back in. This is not an idea user case.
We are running Aruba 6.1.3 code as well as using Clearpass as our Authentication server. Is there any way for clearpass to validate the machine the request is coming from is part of AD while the user performs a EAP-TLS authentication using their user cert?
Any help or advice would be greatly appreciated.
ACDX, ACCP, CISSP, CWNA
01-23-2013 12:28 PM
It sounds like you have enabled 'enforce machine authentication'. To accomplish what you want, you may need to increase the machine authentication cache timeout in the dot1x profile (default is 24 hours); this timeout is what you are likely experiencing when you have to logout to let the machine reauthenticate...which recaches the machine for another day.
To answer your second question, this may not work as the authentication request from the user does not have any information about the computer (outside of the MAC). So, it is not possible to check whether the machine is in AD at all upon a user authentication attempt. You may be able to do some sort of MAC address checking, but this may or may not accomplish what you want.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX