Security

Reply
Occasional Contributor II

Cant login to PC joined Domain with New User profile

Hi

 

I have configured CPPM for two services to authenticate wired users.

One to authenticate the wired users whom dont have 802.1x enabled on their devices.

1.GIF

and one to authenticate users whom have 802.1x enabled on their devices

2.GIF

The domain member users can authenticate properly as planed.

But I got a problem when a new user want to connect to a domain member device but this user is logging for the first time.

In this case the port will be assigned to the quarantine VLAN because the user didnt pass the healthcheck yet, and since the quarantine VLAN doent have access to domain, then the new user will not be able to login...

 

I think we have to use what is called machine-authentication here, right?

If yes, then how to configure the machine authentication rule and what is its position?

 

Thanks

Mahmoud

Re: Cant login to PC joined Domain with New User profile

You could use:

 

TIPS role Equals [Machine Authenticated] --> MachineAuth-VLAN

 

Then configure the machine auth VLAN to restrict access to only allow domain login.

 

Put the rule at the bottom of your 802.1X enforcement policy.

 

Cheers

James

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Cant login to PC joined Domain with New User profile

are the authenticated users assigned to "User Athenticated" role

and the autenticated machines assigned to "Machine Authenticated" role by default without any role-mapping policies? 

 

But is this case the PC will be assigned to this MachineAuth-VLAN before the user enters the credentials, so what will hapen after the user gets in, is the authentication process will be repeated all over again, so the user will be assigned to a new VLAN based on his authentication?

 

Thanks

Mahmoud

Re: Cant login to PC joined Domain with New User profile


mahmoud.yasin@ad-tech.com.jo wrote:

are the authenticated users assigned to "User Athenticated" role

and the autenticated machines assigned to "Machine Authenticated" role by default without any role-mapping policies? 

 

But is this case the PC will be assigned to this MachineAuth-VLAN before the user enters the credentials, so what will hapen after the user gets in, is the authentication process will be repeated all over again, so the user will be assigned to a new VLAN based on his authentication?

 

Thanks


Yes, the machine authed device will get the machine authenticated role without any additional role mapping.

 

When the user logs in this will trigger another 802.1X authentication request. 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: