Security

Reply
Occasional Contributor II

Aruba Controller, ClearPass, and 802.1x Authentication

I'm trying to setup 802.1x authentication via ClearPass.  I have "enforce machine authentication" setup on the controller and all the "termination" settings unchecked to let the request go to the backend ClearPass Radius server.  When I boot my laptops (trying on multiple), they sit at the log in screen with the wireless adaptor enabled, but I'm not seeing any hits against the ClearPass for machine authentication.  If I then log into the pc's, I'm able to authenticate the wireless with user authentication via EAP-TLS with an internal cert fine.  Even if the machine authentication were failing, wouldn't I still see hits on the ClearPass Access Tracker screen?

Re: Aruba Controller, ClearPass, and 802.1x Authentication

 

Turn off enforce machine auth on the controlle and use the machine authenticated role in the enforcement policy 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

One other thing that you can check is that the wireless profile for your secure SSID is loaded for all users and not just the current user.

 

You can check this using the following command

netsh wlan show profiles

 The wireless profile should be listed for "All User Profile"

 

If the SSID profile is loaded for current user then the machine will never attempt to auth. when on the ctrl-alt-delete screen - At least in my experience.

Occasional Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

Ok, tried after removing the "enforce machine authentication" check off the controller itself.  Rebooted both testing laptops.  I'm not seeing any hits against clearpass.  

Occasional Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

The SSID is showing up as listed for All User Profile.  It's the top profile listed as well.  Would there possibly be another setting on the PC that I'm missing that would cause it to not try and do the machine authentication over wireless?

Super Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

Check that your profile is setup so that your device will connect to it automatically. And make sure that you do not have any competing wireless profiles that are set to connect automatically that are in range. It is possible that another SSID is taking precedence. So your device is connecting, but to the wrong SSID.

 

Also make sure that in your wireless profile it is set to use User or computer authentication.

This can be found under the [profile name] Wireless Network Properties > Security > Advanced Settings

Occasional Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

I've deleted all the other wireless profiles.  The one in particular is set to automatically connect when in range.  The security option is set for "User or Computer Authentication".  I currently have SSO disabled as I won't be switching vlans, just roles given.  The wireless adaptor is enabled.  Even if the authentication was failing, I would think that ClearPass should be showing a failure in the Access Tracker right?  I'm starting to wonder if this is more of a Microsoft problem?  Has anyone else seen this issue before?

Super Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

Yes you would see the request hitting the CPPM and failing. If you are seeing nothing then it means that the machine isn't attempting to authenticate. Do you know if the machine is able to get an IP?

 

If you check on the contoller do you see it connected? It could be that int he machine role you are assigning, it doesn't have access to the CPPM.

Occasional Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

I don't think it's getting an IP as I'm not able to ping the pc name.  I tried changing the Initial AAA role to fully authenticated (basically full access).  Rebooted the laptop.  Still not seeing any hits on clearpass.  

Super Contributor II

Re: Aruba Controller, ClearPass, and 802.1x Authentication

Hmm that is really strange.

 

It sounds like everything you have setup is correct.

 

Since you are not getting anything in the Access Tracker it would suggest that the computer isn't even attempting to connect.

I will go through the configs on one of our laptops and make sure there isn't anything obvious we've missed.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: