05-08-2014 11:29 AM - last edited on 05-13-2014 06:20 PM by Jamie E
I'm trying to setup 802.1x authentication via ClearPass. I have "enforce machine authentication" setup on the controller and all the "termination" settings unchecked to let the request go to the backend ClearPass Radius server. When I boot my laptops (trying on multiple), they sit at the log in screen with the wireless adaptor enabled, but I'm not seeing any hits against the ClearPass for machine authentication. If I then log into the pc's, I'm able to authenticate the wireless with user authentication via EAP-TLS with an internal cert fine. Even if the machine authentication were failing, wouldn't I still see hits on the ClearPass Access Tracker screen?
Solved! Go to Solution.
05-08-2014 12:16 PM
Turn off enforce machine auth on the controlle and use the machine authenticated role in the enforcement policy
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
05-12-2014 09:47 AM
One other thing that you can check is that the wireless profile for your secure SSID is loaded for all users and not just the current user.
You can check this using the following command
netsh wlan show profiles
The wireless profile should be listed for "All User Profile"
If the SSID profile is loaded for current user then the machine will never attempt to auth. when on the ctrl-alt-delete screen - At least in my experience.
05-12-2014 09:47 AM
Ok, tried after removing the "enforce machine authentication" check off the controller itself. Rebooted both testing laptops. I'm not seeing any hits against clearpass.
05-12-2014 09:50 AM
The SSID is showing up as listed for All User Profile. It's the top profile listed as well. Would there possibly be another setting on the PC that I'm missing that would cause it to not try and do the machine authentication over wireless?
05-12-2014 10:03 AM
Check that your profile is setup so that your device will connect to it automatically. And make sure that you do not have any competing wireless profiles that are set to connect automatically that are in range. It is possible that another SSID is taking precedence. So your device is connecting, but to the wrong SSID.
Also make sure that in your wireless profile it is set to use User or computer authentication.
This can be found under the [profile name] Wireless Network Properties > Security > Advanced Settings
05-12-2014 10:13 AM
I've deleted all the other wireless profiles. The one in particular is set to automatically connect when in range. The security option is set for "User or Computer Authentication". I currently have SSO disabled as I won't be switching vlans, just roles given. The wireless adaptor is enabled. Even if the authentication was failing, I would think that ClearPass should be showing a failure in the Access Tracker right? I'm starting to wonder if this is more of a Microsoft problem? Has anyone else seen this issue before?
05-12-2014 10:17 AM
Yes you would see the request hitting the CPPM and failing. If you are seeing nothing then it means that the machine isn't attempting to authenticate. Do you know if the machine is able to get an IP?
If you check on the contoller do you see it connected? It could be that int he machine role you are assigning, it doesn't have access to the CPPM.
05-12-2014 10:24 AM
I don't think it's getting an IP as I'm not able to ping the pc name. I tried changing the Initial AAA role to fully authenticated (basically full access). Rebooted the laptop. Still not seeing any hits on clearpass.
05-12-2014 10:47 AM
Hmm that is really strange.
It sounds like everything you have setup is correct.
Since you are not getting anything in the Access Tracker it would suggest that the computer isn't even attempting to connect.
I will go through the configs on one of our laptops and make sure there isn't anything obvious we've missed.