Home > Community > Technology > Security > ClearPass Machine Auth

Security

Reply
Topic Options
MVP MVP
MVP
mharing
Posts: 385
Registered: ‎05-09-2013

ClearPass Machine Auth

Options

‎04-21-2015 05:20 PM

Hi all,

 

I need some clarification for machine authentication. I have a customer who has windows 7 laptops that are joined to the domain, but they do not have any centralized list of MAC addresses or inventory of the devices. They configured the controller to do Dot1X and Machine authentication, and on the devices they have "Computer Authentication" configured in their WLAN settings. 

 

I have a service for the wireless already that authenticates domain users via their username and password and that works fine. Is there a way if the device sends "host/computer1.customer.local" and the device fails authentication (because it's not in AD), that I can still do role mapping / enforcement to allow access?

 

Otherwise, is there a way to setup a service that does not force authentication to take place or allows all authentications?

 

I've discussed with customer changing the laptops to "User or Computer Authentication", but they would like to keep things the way they always have been.

 

Thanks.

Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Alert a Moderator
Message 1 of 5 (1,586 Views)
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli
Posts: 8,637
Registered: ‎09-08-2010

Re: ClearPass Machine Auth

Options

‎04-21-2015 05:22 PM

This is not possible. With 802.1X, authorization can only occur if authentication has passed.

 

You would need to have the devices do both machine and user authentication and also disable any machine authentication enforcement on the controller(s).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 2 of 5 (1,581 Views)
Reply
0 Kudos
MVP MVP
MVP
mharing
Posts: 385
Registered: ‎05-09-2013

Re: ClearPass Machine Auth

Options

‎04-21-2015 05:36 PM

Ok, so if the device sends "host/computer1.customer.local" and fails authentication, can I do enforcement stating "if Machine Authentication -> Domain computer enforcement profile"?

 

They are currently working on compiling a SQL database with MAC addresses, which I will use for authentication afterward. I don't known if the names will exist, but we can enforce MAC auth instead of machine auth for security.

Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Alert a Moderator
Message 3 of 5 (1,571 Views)
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli
Posts: 8,637
Registered: ‎09-08-2010

Re: ClearPass Machine Auth

Options

‎04-21-2015 05:39 PM

With 802.1X, you can’t do bypass authentication like you can with MAC-auth. Authentication has to be successful in order to allow access.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 4 of 5 (1,569 Views)
Reply
0 Kudos
MVP MVP
MVP
mharing
Posts: 385
Registered: ‎05-09-2013

Re: ClearPass Machine Auth

Options

‎04-21-2015 05:45 PM

Ok, thanks for the clarification. I will relay to customer.

Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Alert a Moderator
Message 5 of 5 (1,566 Views)
Reply
0 Kudos
Search Airheads
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2017 Hewlett Packard Enterprise Development LP
Powered by Lithium