Security

Reply
HT
Occasional Contributor II
Posts: 16
Registered: ‎03-24-2009

Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

[ Edited ]

Can I doing both machine and user authentication without function of "enforce machine authention" on Non-Aruba controller or Cisco WLC?

Actually, my goal is check the  device is domain computer and domain user with specific SSID with Onguard persistant agent. And I found the domain computer was authenticated first then the user authenticated, so there will be two radius log on Access Tracker instead of both compleled at same time. As I know there is cache machine authentication function on CPPM, so how can I achieve this? 

Guru Elite
Posts: 8,169
Registered: ‎09-08-2010

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

You would use both the [User Authenticated] and [Machine Authenticated] TIPS
roles in your policy.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
HT
Occasional Contributor II
Posts: 16
Registered: ‎03-24-2009

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

Hi,

 

I have tried but still fail to get the right direction, would you mind to show me how to create this entire "service", specially on the "role" and "enforcement" tab, I would return a correct vlan if both machine and user authentication pass otherwise deny or drop the request.

Guru Elite
Posts: 8,169
Registered: ‎09-08-2010

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

So you'd do TIPS role MATCHES_ALL [User Authenticated] and [Machine
Authenticated] and then the enforcement would be your VLAN assignement
enforcement profile.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
HT
Occasional Contributor II
Posts: 16
Registered: ‎03-24-2009

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

Hi Cappalli,

 

I have configured matched all [Machine authenticated] and [Users authenticated], then I reboot the domain computer, and logon the domain user, after that, I can only found two seperate record on access tracker, first record is the machine authenticated "host\xxxxxx", second one is user authenticated "domain\user", it seems CPPM didn't cache my machine authenticated result. Would you please provide a full step? BTW, the Endpoint list is empty, I can't use it as the other post suggest.

 

HT

Guru Elite
Posts: 8,169
Registered: ‎09-08-2010

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

Does the first authentication request have a TIPS role of [Machine
Authenticated]?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
HT
Occasional Contributor II
Posts: 16
Registered: ‎03-24-2009

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

Yes

 2016-10-17_122352.jpg

2016-10-17_122402.jpg

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

If you have your Windows client configured to do both User and Computer authentication, then the Windows client will always do both Machine and User authentication when the comptuer is rebooted.

 

Machine authentication will always come first. This usually occurs while you are sitting on the CTRL + ALT + DEL screen.

 

The machine authentication caching I believe is primarily used to avoid the issue of when users put their device to sleep. When the device of woken up, if the user is still signed in, then machine authentication does not take place. That is why the machine authenication is cached.

 

You can write an attribute back to the Endpoints database after a computer has successfully authenticated and use this attribute in your role mappings. This would mean though that each computer would need to perform machine authentication at least once.

 

I am sure there are more reasons why machine authentication is cached, I am just not entirely sure what they are.

Occasional Contributor I
Posts: 14
Registered: ‎03-20-2015

Re: Clearpass wireless 802.1x machine and user authentication on non-Aruba and Cisco controller

[ Edited ]

Every-time you are rebooting the domain computer, the computer will always go through the Machine Authentication Cycle and you device will be tagged as Machine Authenticated.

Then when the user is trying to authenticate, you will find another log in the Access Tracker for the User authentication process.

Machine Authentication and User Authentication is a totally separated process that happens independently.

Also you need to make sure that the OPTION "Use cached Roles and Posture attributes from previous sessions" in the Enforcement Policy is enabled.Capture.PNG

So when the Machine authentication happen the result is cached and then you use it in the next time when the User authnetication is hapenening to build up your Policy.

Zahran,
ACCP,ACMP,ASE
Search Airheads
Showing results for 
Search instead for 
Did you mean: