Security

Reply
Super Contributor I
Posts: 324
Registered: ‎05-09-2013

ClearPass Machine Auth

Hi all,

 

I need some clarification for machine authentication. I have a customer who has windows 7 laptops that are joined to the domain, but they do not have any centralized list of MAC addresses or inventory of the devices. They configured the controller to do Dot1X and Machine authentication, and on the devices they have "Computer Authentication" configured in their WLAN settings. 

 

I have a service for the wireless already that authenticates domain users via their username and password and that works fine. Is there a way if the device sends "host/computer1.customer.local" and the device fails authentication (because it's not in AD), that I can still do role mapping / enforcement to allow access?

 

Otherwise, is there a way to setup a service that does not force authentication to take place or allows all authentications?

 

I've discussed with customer changing the laptops to "User or Computer Authentication", but they would like to keep things the way they always have been.

 

Thanks.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: ClearPass Machine Auth

This is not possible. With 802.1X, authorization can only occur if authentication has passed.

 

You would need to have the devices do both machine and user authentication and also disable any machine authentication enforcement on the controller(s).


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 324
Registered: ‎05-09-2013

Re: ClearPass Machine Auth

Ok, so if the device sends "host/computer1.customer.local" and fails authentication, can I do enforcement stating "if Machine Authentication -> Domain computer enforcement profile"?

 

They are currently working on compiling a SQL database with MAC addresses, which I will use for authentication afterward. I don't known if the names will exist, but we can enforce MAC auth instead of machine auth for security.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: ClearPass Machine Auth

With 802.1X, you can’t do bypass authentication like you can with MAC-auth. Authentication has to be successful in order to allow access.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 324
Registered: ‎05-09-2013

Re: ClearPass Machine Auth

Ok, thanks for the clarification. I will relay to customer.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: