08-18-2016 12:33 AM
I have read through all post regarding the machine authentication, but still couldn't figure out how to do it...Perhaps someone can highlight me....Our setup as below:
-Windows 2008 (Radius Server) + Aruba controller (without Clearpass)
-We need to ensure "user authentication and machine authentication", so that only domain computer can connect to corporate wireless.
Sound simple, i know i need to config "enforce machine authentication" in 802.1x profile, and setup the NPS policy properly, but i couldn't find what is the details as below questions:
1. Machine Authentication: Default Machine Role, what should i set it? (set up a role then assign vlan to it?)
2. Machine Authentication: Default User Role, what should i set it? (set up a role then assign vlan to it?)
3. From NPS policy, i have added condition that only these user groups (domain computers and domain users) can access?
4. From NPS radius attributes, i have configure tunnel-type as VLAN and assign vlan 100 for Users once authentication is successful.
So far only user authentication is working as i can see from the NPS logs, the computer boot up and trying to use machine authentication, NPS logs show that (Domain\Computer_name) has denied access.
Really no idea what need to configure in order the machine authentication kick in...
08-18-2016 03:08 AM
08-18-2016 06:13 PM - edited 08-18-2016 06:19 PM
Right now i have only 1 policy in NPS, which is allow domain computers and domain users to acccess. So should seperate it to 2 policies? 1 for domain computers and 1 for domain users?
08-19-2016 01:14 AM
I have configured 2 policies, 1 for user group-domain users, 1 for machine group-domain computers, and my laptop is able to access via machine authentication, but when i use my phone to login, i am still able to access with my user authentication. How should i make it only domain computers can login?
08-19-2016 11:12 PM
I wanted to achieve the same thing at one time and discovered you cannot achieve that with radius and NPS. It is only possible to test on one condition with NPS that is are they a valid user or is it a valid device. It is not possible to test on both conditions. So if they are pass one they will be allowed to connect. I'm not fully sure of the technical reasons for the limitation.
08-22-2016 05:47 PM
I have config 2 policies in NPS, 1 for domain users and other 1 for domain computers, also enable the enforce machine authentication. Machine Authentication: Default Machine Role configured as authenticated, and Machine Authentication: Default User Role denyall. Am i configured in a correct way? And i noticed that from the radius server event viewer, when i boot up my computer and login, i will have 2 events for machine authentication (successfully login) and 2 events for user authentication (successfully login). Also i can't login using my phone now with valid AD account.
08-22-2016 05:58 PM
Get Outlook for iOS
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
08-23-2016 01:34 AM
You cannot do that with NPS. NPS can only check one authentication at a time, so it cannot "remember" if the device a user is on successfully machine authenticated before a user authentication.
The only way to sort of do this is to setup your laptops to only authenticate with machine credentials and in your NPS policy only only allow the "Domain Computers" group to authenticate. This would mean that only the machine would authenticate, but users would still have to authenticate at the logon prompt to the computer/network to do anything. This means the users would still be subjected to the same level of authentication and ONLY domain machines can get onto the wireless.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
08-24-2016 08:21 PM
So with this method, i don't even need to enable option "enforce machine authentication" in wireless controller, right? Only in NPS config 1 policy for machine authentication and force user to use machine authenticaiton only on their computer.