- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
04-21-2015 05:20 PM
Hi all,
I need some clarification for machine authentication. I have a customer who has windows 7 laptops that are joined to the domain, but they do not have any centralized list of MAC addresses or inventory of the devices. They configured the controller to do Dot1X and Machine authentication, and on the devices they have "Computer Authentication" configured in their WLAN settings.
I have a service for the wireless already that authenticates domain users via their username and password and that works fine. Is there a way if the device sends "host/computer1.customer.local" and the device fails authentication (because it's not in AD), that I can still do role mapping / enforcement to allow access?
Otherwise, is there a way to setup a service that does not force authentication to take place or allows all authentications?
I've discussed with customer changing the laptops to "User or Computer Authentication", but they would like to keep things the way they always have been.
Thanks.
Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
04-21-2015 05:22 PM
This is not possible. With 802.1X, authorization can only occur if authentication has passed.
You would need to have the devices do both machine and user authentication and also disable any machine authentication enforcement on the controller(s).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: ClearPass Machine Auth
Re: ClearPass Machine Auth
04-21-2015 05:36 PM
Ok, so if the device sends "host/computer1.customer.local" and fails authentication, can I do enforcement stating "if Machine Authentication -> Domain computer enforcement profile"?
They are currently working on compiling a SQL database with MAC addresses, which I will use for authentication afterward. I don't known if the names will exist, but we can enforce MAC auth instead of machine auth for security.
Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: ClearPass Machine Auth
Re: ClearPass Machine Auth
04-21-2015 05:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: ClearPass Machine Auth
Re: ClearPass Machine Auth
04-21-2015 05:45 PM
Ok, thanks for the clarification. I will relay to customer.
Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator