Security

Reply
Occasional Contributor II

Enforce Machine Auth not working as expected.

Community,

 

I have the "Enforce Machine Auth" setting enabled for one of my WLANs, with my Windows NPS scenario as follows:

 

-Policy 1 handles the machine authentication portion. When the machine boots up, it sends an 802.1x "machine" request, If the machine is found in Active Directory, the NPS RADIUS will send an "authenticated/allow access" message back satisfying the "enforce machine auth" requirement.

 

-Policy 2 handles the user auth portion. When the user enters their username/password, the windows machine will switch the 802.1x "state" from Machine to User Auth and it will then send a user auth, this policy will see that the user is in AD and send an "authenticated/allow" message as well as send some other RADIUS parameters (VLAN ID).

 

This is working well for windows domain machines but what im noticing is that when I try to connect a non domain machine like my cell phone, even with enforce machine auth enabled, my phone is still able to connect to the wlan. I thought enforcing machine auth was supposed to prevent devices who dont have a valid machine auth from connecting altogether? Am I misunderstanding how machine auth works? When I look at the client connections on the controller the cell phone has a state of 802.1x-User. I am noticing however that the cell phone is not getting an IP address so in essence its not able to traverse our network but my concern is that the controller is still allowing it to connect to the SSID even without a valid machine auth. My company does not want non domain machine connecting to our 802.1x enabled SSID. Any suggestions? Thanks.

Re: Enforce Machine Auth not working as expected.

What do you have define under the Layer 2 Auth Profile > Your 802.1X Profile > Machine: Default user role ?

You can do two things :

- You can configure a MOBILE-ROLE under the "Machine Authentication : Default user role" and  allow the mobile devices connect and under the role assign the Guest VLAN 

- If you want to fully deny access just assign a denyall role under "Machine Authentication : Default user role" 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Enforce Machine Auth not working as expected.

Victor,

 

Thanks so much for the quick response. I went ahead and set the Machine Auth: default User role to "denyall" this way non domain devices cannot get on the network. For some reason I was under the impression that the device would not be able to connect to the WLAN at all if it didnt have a valid machine auth, but now that I think about it, that would be impossible because the device at a minimum has to complete a successful AP Auth/Association before it can do 802.1x to begin with. So in essence it is "connecting" to the WLAN but the AP is preventing "network access" due to the failed machine auth. Is this correct?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: