Home > Community > Technology > Security > ClearPass Machine Auth

Security

Reply
Topic Options
MVP MVP
MVP
mharing
Posts: 395
Registered: ‎05-09-2013

ClearPass Machine Auth
Options

‎04-21-2015 05:20 PM

Hi all,

 

I need some clarification for machine authentication. I have a customer who has windows 7 laptops that are joined to the domain, but they do not have any centralized list of MAC addresses or inventory of the devices. They configured the controller to do Dot1X and Machine authentication, and on the devices they have "Computer Authentication" configured in their WLAN settings. 

 

I have a service for the wireless already that authenticates domain users via their username and password and that works fine. Is there a way if the device sends "host/computer1.customer.local" and the device fails authentication (because it's not in AD), that I can still do role mapping / enforcement to allow access?

 

Otherwise, is there a way to setup a service that does not force authentication to take place or allows all authentications?

 

I've discussed with customer changing the laptops to "User or Computer Authentication", but they would like to keep things the way they always have been.

 

Thanks.


Thank you.
Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Alert a Moderator
Message 1 of 5 (1,679 Views)
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli
Posts: 8,774
Registered: ‎09-08-2010

Re: ClearPass Machine Auth
Options

‎04-21-2015 05:22 PM

This is not possible. With 802.1X, authorization can only occur if authentication has passed.

 

You would need to have the devices do both machine and user authentication and also disable any machine authentication enforcement on the controller(s).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 2 of 5 (1,674 Views)
Reply
0 Kudos
MVP MVP
MVP
mharing
Posts: 395
Registered: ‎05-09-2013

Re: ClearPass Machine Auth
Options

‎04-21-2015 05:36 PM

Ok, so if the device sends "host/computer1.customer.local" and fails authentication, can I do enforcement stating "if Machine Authentication -> Domain computer enforcement profile"?

 

They are currently working on compiling a SQL database with MAC addresses, which I will use for authentication afterward. I don't known if the names will exist, but we can enforce MAC auth instead of machine auth for security.


Thank you.
Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Alert a Moderator
Message 3 of 5 (1,664 Views)
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli
Posts: 8,774
Registered: ‎09-08-2010

Re: ClearPass Machine Auth
Options

‎04-21-2015 05:39 PM

With 802.1X, you can’t do bypass authentication like you can with MAC-auth. Authentication has to be successful in order to allow access.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 4 of 5 (1,662 Views)
Reply
0 Kudos
MVP MVP
MVP
mharing
Posts: 395
Registered: ‎05-09-2013

Re: ClearPass Machine Auth
Options

‎04-21-2015 05:45 PM

Ok, thanks for the clarification. I will relay to customer.


Thank you.
Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Alert a Moderator
Message 5 of 5 (1,659 Views)
Reply
0 Kudos
Search Airheads
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2017 Hewlett Packard Enterprise Development LP
Powered by Lithium