Community Home > Discuss > Technology > Security > ClearPass Machine Auth

Security

Reply
MVP
MVP
mharing

ClearPass Machine Auth

‎04-21-2015 05:20 PM

Hi all,

 

I need some clarification for machine authentication. I have a customer who has windows 7 laptops that are joined to the domain, but they do not have any centralized list of MAC addresses or inventory of the devices. They configured the controller to do Dot1X and Machine authentication, and on the devices they have "Computer Authentication" configured in their WLAN settings. 

 

I have a service for the wireless already that authenticates domain users via their username and password and that works fine. Is there a way if the device sends "host/computer1.customer.local" and the device fails authentication (because it's not in AD), that I can still do role mapping / enforcement to allow access?

 

Otherwise, is there a way to setup a service that does not force authentication to take place or allows all authentications?

 

I've discussed with customer changing the laptops to "User or Computer Authentication", but they would like to keep things the way they always have been.

 

Thanks.

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 1 of 5
2,222 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: ClearPass Machine Auth

‎04-21-2015 05:22 PM

This is not possible. With 802.1X, authorization can only occur if authentication has passed.

 

You would need to have the devices do both machine and user authentication and also disable any machine authentication enforcement on the controller(s).


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 2 of 5
2,217 Views
Reply
0 Kudos
MVP
MVP
mharing

Re: ClearPass Machine Auth

‎04-21-2015 05:36 PM

Ok, so if the device sends "host/computer1.customer.local" and fails authentication, can I do enforcement stating "if Machine Authentication -> Domain computer enforcement profile"?

 

They are currently working on compiling a SQL database with MAC addresses, which I will use for authentication afterward. I don't known if the names will exist, but we can enforce MAC auth instead of machine auth for security.

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 3 of 5
2,207 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: ClearPass Machine Auth

‎04-21-2015 05:39 PM

With 802.1X, you can’t do bypass authentication like you can with MAC-auth. Authentication has to be successful in order to allow access.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 4 of 5
2,205 Views
Reply
0 Kudos
MVP
MVP
mharing

Re: ClearPass Machine Auth

‎04-21-2015 05:45 PM

Ok, thanks for the clarification. I will relay to customer.

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 5 of 5
2,202 Views
Reply
0 Kudos
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium