10-14-2016 07:54 AM - edited 10-14-2016 08:01 AM
Can I doing both machine and user authentication without function of "enforce machine authention" on Non-Aruba controller or Cisco WLC?
Actually, my goal is check the device is domain computer and domain user with specific SSID with Onguard persistant agent. And I found the domain computer was authenticated first then the user authenticated, so there will be two radius log on Access Tracker instead of both compleled at same time. As I know there is cache machine authentication function on CPPM, so how can I achieve this?
10-14-2016 07:57 AM
10-14-2016 08:05 AM
I have tried but still fail to get the right direction, would you mind to show me how to create this entire "service", specially on the "role" and "enforcement" tab, I would return a correct vlan if both machine and user authentication pass otherwise deny or drop the request.
10-14-2016 08:09 AM
10-16-2016 09:00 PM
I have configured matched all [Machine authenticated] and [Users authenticated], then I reboot the domain computer, and logon the domain user, after that, I can only found two seperate record on access tracker, first record is the machine authenticated "host\xxxxxx", second one is user authenticated "domain\user", it seems CPPM didn't cache my machine authenticated result. Would you please provide a full step? BTW, the Endpoint list is empty, I can't use it as the other post suggest.
10-16-2016 09:03 PM
10-20-2016 06:10 PM
If you have your Windows client configured to do both User and Computer authentication, then the Windows client will always do both Machine and User authentication when the comptuer is rebooted.
Machine authentication will always come first. This usually occurs while you are sitting on the CTRL + ALT + DEL screen.
The machine authentication caching I believe is primarily used to avoid the issue of when users put their device to sleep. When the device of woken up, if the user is still signed in, then machine authentication does not take place. That is why the machine authenication is cached.
You can write an attribute back to the Endpoints database after a computer has successfully authenticated and use this attribute in your role mappings. This would mean though that each computer would need to perform machine authentication at least once.
I am sure there are more reasons why machine authentication is cached, I am just not entirely sure what they are.
10-28-2016 04:44 AM - edited 10-28-2016 04:48 AM
Every-time you are rebooting the domain computer, the computer will always go through the Machine Authentication Cycle and you device will be tagged as Machine Authenticated.
Then when the user is trying to authenticate, you will find another log in the Access Tracker for the User authentication process.
Machine Authentication and User Authentication is a totally separated process that happens independently.
Also you need to make sure that the OPTION "Use cached Roles and Posture attributes from previous sessions" in the Enforcement Policy is enabled.
So when the Machine authentication happen the result is cached and then you use it in the next time when the User authnetication is hapenening to build up your Policy.