Security

Reply
Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

ClearPass Aruba 802.1X Wireless and Machine Authentication

hi ,
I have configured a service using template : " Aruba 802.1X Wireless" on ClearPass 6.5.1 .
I have configured a RADIUS Proxy server for CheckPoint to allow the ChecPoint Identity awarness , and in the enforcement policies have configured this rule :

               (Tips : Role EQUALS [ Authenticated User ] )
AND (Tips : Role EQUALS [ Machine Authenticated ] )

Because i need to verify :
- User is an Active Directory users
- Machine is a machine reconized by the Active Directory server ( so not a personal device)

This type of configuration works fine in other environment , in this specific where the only difference is radius proxy , the enforcement policy not works and ALL devices have access .

Other issue that i have encountered is that the cleint request have like username the email: "name.surname@company.com"

I think is due to windows OS, and the authentication fails.
if i force the username in this form "name.surname" all works.

any idea?

thanks in advance

Andrea
Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

You would have to disable Windows authentication and have it prompt the user to enter their UPN.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,638
Registered: ‎04-13-2009

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication


Andrea wrote:

Other issue that i have encountered is that the cleint request have like username the email: "name.surname@company.com"

I think is due to windows OS, and the authentication fails.
if i force the username in this form "name.surname" all works.

any idea?

thanks in advance


You have two options to resolve this.   In your Service configuration, configure the Authentication settings to strip the @company.com of the login.  This will authenticate all users using the username only.

 

cppm-strip.png

 

Alternatively, you can configure your Authentication source filter to look at both the sAMAccountName and the userPrincipalName:

 

(|&userPrincipalName=%{Authentication:Username})(objectClass=user))(&(sAMAccountName=%{Authentication:Username})(objectClass=user)))

 

cppm-upn-login2.png

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,638
Registered: ‎04-13-2009

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication


Andrea wrote:

hi ,
I have configured a service using template : " Aruba 802.1X Wireless" on ClearPass 6.5.1 .
I have configured a RADIUS Proxy server for CheckPoint to allow the ChecPoint Identity awarness , and in the enforcement policies have configured this rule :

               (Tips : Role EQUALS [ Authenticated User ] )
AND (Tips : Role EQUALS [ Machine Authenticated ] )

Because i need to verify :
- User is an Active Directory users
- Machine is a machine reconized by the Active Directory server ( so not a personal device)

This type of configuration works fine in other environment , in this specific where the only difference is radius proxy , the enforcement policy not works and ALL devices have access .

 


With regards to this failure, can you send a copy of the Access Tracker logs so we can have a look at your service configuration for this specific event.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

Hi,
thanks for your answer, tomorrow i'll try to follow your suggestions.

 

But for the failed machine authentication i have no idea to how solve.

Seems that "the enforcement policy" not works.

Can you help me?

 

Best regards
Andrea

Andrea
Aruba
Posts: 1,638
Registered: ‎04-13-2009

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

Can you supply the Access Tracker export for that failed attempt?  It may help us understand your situation.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

Hi,

i want that a cleint for have access to networks have to pass booth my verification

 

- User Authenticatd

- Machine Authenticated

 

The problem is , clients have access if they pass at least one of two.

I have tryed to set only "machine authentication" but seems not working.
If the user ID is valid he have access.

 

In the access traker you see only one authentication, only user or only machine.

usually i have to see two authentications for each client.

 

Best regasrds
Andrea

Andrea
Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

Is the client pre-configured for "User or Computer authentication"?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

Hi,
sorry for the delay.
The client is configured correctly, i have already configured this type of authentication and works fine in other enviroments.

It seems like the condition "user and machine are authenticated" is read like "User OR Machine"
But i have verified that is set an "AND" and not an "OR"

Do you know a debug which can help me?

 

Thanks
Andrea

Andrea
Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: ClearPass Aruba 802.1X Wireless and Machine Authentication

After the user gets to the desktop, do you see a second authentication?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: