Security

Can I doing both machine and user authentication without function of "enforce machine authention" on Non-Aruba controller or Cisco WLC?

Actually, my goal is check the  device is domain computer and domain user with specific SSID with Onguard persistant agent. And I found the domain computer was authenticated first then the user authenticated, so there will be two radius log on Access Tracker instead of both compleled at same time. As I know there is cache machine authentication function on CPPM, so how can I achieve this? 

You would use both the [User Authenticated] and [Machine Authenticated] TIPS
roles in your policy.

Hi,

 

I have tried but still fail to get the right direction, would you mind to show me how to create this entire "service", specially on the "role" and "enforcement" tab, I would return a correct vlan if both machine and user authentication pass otherwise deny or drop the request.

So you'd do TIPS role MATCHES_ALL [User Authenticated] and [Machine
Authenticated] and then the enforcement would be your VLAN assignement
enforcement profile.

Hi Cappalli,

 

I have configured matched all [Machine authenticated] and [Users authenticated], then I reboot the domain computer, and logon the domain user, after that, I can only found two seperate record on access tracker, first record is the machine authenticated "host\xxxxxx", second one is user authenticated "domain\user", it seems CPPM didn't cache my machine authenticated result. Would you please provide a full step? BTW, the Endpoint list is empty, I can't use it as the other post suggest.

 

HT

Does the first authentication request have a TIPS role of [Machine
Authenticated]?

Yes

 

If you have your Windows client configured to do both User and Computer authentication, then the Windows client will always do both Machine and User authentication when the comptuer is rebooted.

 

Machine authentication will always come first. This usually occurs while you are sitting on the CTRL + ALT + DEL screen.

 

The machine authentication caching I believe is primarily used to avoid the issue of when users put their device to sleep. When the device of woken up, if the user is still signed in, then machine authentication does not take place. That is why the machine authenication is cached.

 

You can write an attribute back to the Endpoints database after a computer has successfully authenticated and use this attribute in your role mappings. This would mean though that each computer would need to perform machine authentication at least once.

 

I am sure there are more reasons why machine authentication is cached, I am just not entirely sure what they are.

Every-time you are rebooting the domain computer, the computer will always go through the Machine Authentication Cycle and you device will be tagged as Machine Authenticated.

Then when the user is trying to authenticate, you will find another log in the Access Tracker for the User authentication process.

Machine Authentication and User Authentication is a totally separated process that happens independently.

Also you need to make sure that the OPTION "Use cached Roles and Posture attributes from previous sessions" in the Enforcement Policy is enabled.

So when the Machine authentication happen the result is cached and then you use it in the next time when the User authnetication is hapenening to build up your Policy.

I'm using the TIPS role caching, but when my users come in the next day, the auth has aged out and they're forced to disconnect/reconnect before being given the right Enforcement Policy. They only get the [User Authenticated] role on first try.

 

The NAS is a WLC 2504.