Security

Reply

Create Multiple [Machine Authenticated] Roles

First, I will explain what I want to do:

 

Device A is joined to domain acme.com

Device A is a member of ABC OU

Device A must machine authenticate and user authenticate in order for the device to gain full acess to the network

Results in default RADIUS ALLOW policy

 

Device B is joined to domain acme.com

Device B is a member of XYZ OU

Device B must machine authenticate and user authenticate in order for the device to gain full access to the network

Results in NAMED VLAN and NAMED ROLE.  Device B must be placed into a different VLAN and role than Device A

 

Here's the problem:

 

This configuration works fine for device A.  The device gets the [Machine Authentication] role and is cached for 24 hours, allowing the user to login and get complete access to the network [Machine Authentication] + User auth = access.

 

When the machine authenticates, we differentiate access by determining that it's in a different OU, which results in device B getting a different role than device A.  I can't give it the [Machine Authentication] role because otherwise it will end up with the same enforcement policy as device A.  Since I can't give it the [Machine Authentication] role to device B, when the user logs in their machine authentication is not cached so I can't get them on the network.

 

My solution to this would be to create a ClearPass role called [Machine Authentication - XYZ] that caches just like the built-in [Machine Authentication] role.  Then, I could use [Machine Authentication - XYZ] + User authentication to give device B differentiated access to the network.

 

Is this at all possible or is there another way of doing this that I'm not thinking of?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Create Multiple [Machine Authenticated] Roles

I think you have multiple things to think about.  The server certificate for CPPM must be trusted by laptops in both domains.  That can be a huge undertaking based on how mobile devices in both domains are setup.

 

When a machine authenticates, it is part of the "domain machines" AD group for a particular domain.  You would put all devices that pass authentication for domain X in Vlan X and for domain Y in vlan Y.  The user who passes user authentication will be in domain users for domain X and that device should end up in vlan X.  Same thing for VLAN Y.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Create Multiple [Machine Authenticated] Roles

The computers are in the same domain, but different OUs within the AD tree.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Create Multiple [Machine Authenticated] Roles

What are you trying to accomplish, then?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Create Multiple [Machine Authenticated] Roles

I have to identify a group of domain computers and put them in a different
VLAN than all other domain computers.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Create Multiple [Machine Authenticated] Roles

In your role map, tag computers that are a member of OU "A" with a role and
"B" with a different role and then in your enforcement say [ Machine
Authenticated] and Role A then VLAN or user role A. Same with B.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Create Multiple [Machine Authenticated] Roles

Tim,

That works for putting the computer in the proper VLAN when it machine
authenticates but once the user logs in will the VLAN be retained if I
don't override it, if I only send a radius acccept? Also, if that did work
and the device was off network long enough to age out of the controller
user table, when it reconnects to the network I'm afraid it will end up in
the VAP's default VLAN. These computers must consistently be placed in a
particular VLAN for compliance reasons.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Create Multiple [Machine Authenticated] Roles

thecompnerd,

 

You probably are making this too complicated. You should just use machine authentication only and be done with it.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Create Multiple [Machine Authenticated] Roles

For when the user authenticates, you can create a different action by using
the [User Authenticated] role. If you want the same VLAN to stick for the
machine, configure the device to use machine auth only via group policy.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Create Multiple [Machine Authenticated] Roles

cjoseph,

I initially thought I was over thinking it but after working it through a
couple of times in my head I don't believe I will be able to consistently
put these machines in the VLAN they need. I will do some additional testing
tomorrow to confirm my my thinking/concerns as I'm not sure I've
effectively communicated what I'm trying to do on the forums.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: