Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎08-02-2011

Control of the devices able to logon to our network

Hi,

 

There might be something obvious I'm missing out, but I've been playing with a config on our lab controller where we use machine authentication for our windows devices connected to our domain. Using a Win2008 NPS, this works like a beaut, no issues there.

 

Maybe I'm approaching this from a totally wrong angle - But of course we have one or two MacBook users and how to approach this issue, since they don't support machine authentication?

 

I was hoping to have some sort of combination that if machine authentication fails, then a username and password with MAC authentication should be a minimum in order to be able to logon to the network, but is this at all possible?

 

Machine authentication alone - they get assigned authenticated

User/password with a valid MAC address in our domain as a user - they get assigned authenticated.

 

As I said, don't know if this is possible and quite possibly I'm approaching the entire thing completely wrong.

 

We're running 6.1.3.2 on our lab controller.

 

Any ideas or advices would be greatly appreciated.

 

Tommy

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Control of the devices able to logon to our network

When using machine authentication, the controller caches the MAC address of successfully logged on machines (the time is customizable in the dot1x profile under advanced "Machine Authentication Cache Timeout".  If you hvae non-domain machines that you want to pass your machine authentication tests, just add their MAC addresses to the internal database on the controller.  This will trick the controller into thinking it passed machine authentication, getting you the role you desire.



------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 17
Registered: ‎08-02-2011

Re: Control of the devices able to logon to our network

In the AAA profile, besides having a 802.1x rule which check the computer name against our AD, does this mean setting up a MAC authentication profile and having our NPS defined in the server group (And having that MAC address as a user with the same password) or does it have to be in the internal DB?

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Control of the devices able to logon to our network

What I described (the caching of the MAC during the enforce machine authentication setting) is done only in the Internal datbase.  There are no MAC Authentication profiles or Server Groups to setup in this instance (as it is not doing actual MAC authentication).    If you are enforcing machine authentication through a dot1x profile, by adding the MAC address of a device to the internal DB, you'll trick the controller into thinking it has successfully authenticated in the past.  Take a look at your Internal DB, you should see the MACs of successful computers in there. 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: