Security

When I "enforce machine authentication" and my windows laptop connects to my SSID, I see in my Clearpass monitoring that the username is domain\hostname and it "passes" so it seems to be working ok but I'm just curious, how secure is this?  Could a hacker, for example, make a windows domain at home with the same domain name then name his laptop the same hostname as one of my machines and then sign on to my wifi?  

      Second question: I set up an SSID and enforced machine authentication and everything seems to work ok on my windows laptop but when I try to connect to the SSID using my stock android phone (no special certs or anything like that) it will hang on "authenticating" and sometimes on "obtaining IP address".  I see in the clearpass monitoring only the user request come in.  It does not seem the android phone even attempts machine authentication.  I tried both with and without "enforce machine authentication" as a troubleshooting step but the android phone never connects and gets an IP.  Any ideas?  Thanks!

'Enforce' machine authentication is a confusing choice of words.  It is not really enforcing, just recognising if the authentication is machine or user.  That way you can have different role for machine and user auth.

If both machine and user pass they get the default role.

Also, you should NOT use controller Enforce Machine Authentication with ClearPass. Do all of your logic in ClearPass using the built-in [User Authenticated] and [Machine Authenticated] roles.

To summarize:

Machine authentication uses the computer account in Active Directory for authentication, this can be username password (which is automatically set by Windows and AD, and is not visible to the user). For that reason it cannot be spoofed.

An Android device is not registered/managed in Active Directory, so it will NOT have a computer account, and will not be able to do device authentication. It can only do user authentication.

If you have ClearPass, manage your access based on [Machine Authenticated] and [User Authenticated]. If both roles are collected, you know that the system has both authenticated with the Computer account, and with the User account (two authentications from the same system). In most situations, you will NOT enforce machine authentication on the controller, because ClearPass is much more flexible and allows you to make all kinds of exceptions, like taking profiler data, MDM data, and much more, into account during the authentication. On the controller, you can set a single role for systems that only do machine authentication, a single role for systems that do user authentication (only), for systems that do both a dynamic role can be supplied during the authentication.

You may consider configuring Active DIrectory managed computers to authenticate with just the machine account (Computer only in the settings for your WLAN), as this does not require Windows to do a new authentication once a user logs in. This only makes sense if all users on corporate computers have the same level of access, as the authentication/access is only derived from the computer or machine.

Herman

Thank you Herman.  Thanks Everyone.