Security

I have a test environment setup, using ClearPass 6.X and an Aruba controller.  I've setup a policy that needs to verify both the user and computer are in the domain.  The computer and user authenticate just fine, but there seems to be a problem with my  enforcement policy.  I have 2 conditions:

Tips: Role EQUALS [user authenticated] > User Role

Tips: Role EQUALS [Machine Authenticated] > Machine role.

The user role profile enforces a user role and the machine role profile enforces a machine role.  The machine authenticates properly and receives the machine role.  Then, the user authenticates and receives the user role.  My expectation was that since the machine authenticated and then the user authenticated that the controller would assign the default dot1x role.  I have this working properly with a Windows NPS server.  However, this isn't happening with ClearPass.  Any thoughts?

So is User Role defined as a RADIUS Enforcement profile in CPPM? If you select it does it show Action: Accept  ?

You can also try to add an attribute as follows:

Type: Radius:Aruba

Name: Aruba-User-Role

Value: <NameOfArubaRoll>

Yes, my enforcement profiles contain the user role and machine role.

In production with my Win NPS server, the following happens:

1. Machine authenticates > machine role assigned

2. User authenticates > authenticated role assigned (default dot1x role)

In my test CPPM lab, the following happens:

1. Machine authenticates > machine role assigned

2. User authenticates > user role assigned

So, I assume you have 'enforce machine authentication' setup on the dot1x authentication profile, correct?  

Regardless, a server derived rule (from CPPM in this case) is going to override the defualt dot1x role; so the response from CPPM is going to overwrite the default dot1x role if machine/user authentication pass.   If you want to use the user/machine/default roles of the dot1x profile, then do not apply any Aruba-User-Roles in the CPPM enforcment profile/policies; just allow them to pass.

Yes, enforce machine authentication is checked.

If I remove the enforcement policy that I created from the service and select the [sample allow access profile], the user is getting fully authenticate without having to machine authenticate first.  To test this, I disabled wifi and deleted the MAC from the user table.  Then, I re-enabled wifi.  I checked the controller and had the authenticated role, when I should've had the user role.

try your test again, but in addition to your steps run the following to make sure you remove the user fully form the user table:

aaa user delete <ip.of.client>

Same result.

Run the follow to see how the user got that role.

show user ip <ip of user>

Look for the line that says:

Role Derivation:

Role Derivation: default for authentication type 802.1x

Uncheck enforce machine authentication and allow CPPM to assign the roles.  Enforce Machine authentication changes the rules...

I now see something different when issuing the show user ip command:

Role Derivation: Aruba VSA

However, my role is still the user role once logged in.

My enforcement profile must not be correct.  I need some way to say "if machine authenticated + user authenticated = this role".  I'm not sure how to configure that in an enforcement policy.

- Uncheck Enforce Machine authentication on the Aruba controller, because that will just ignore your VSA

In the Enforcement Policy, check to see if tips role = [user authenticated] and tips role = [machine authenticated] then {Enforcement Profile].  Make sure it says "Match All" to satisfy the rule.  In this example it sends the Employee Access Radius Enforcement Profile, but it could be any Aruba VSA.

---

@cjoseph wrote:

 

In the Enforcement Policy, check to see if tips role = [user authenticated] and tips role = [machine authenticated] then {Enforcement Profile].  Make sure it says "Match All" to satisfy the rule.  In this example it sends the Employee Access Radius Enforcement Profile, but it could be any Aruba VSA.

 

---

I'm getting the correct role, now.  Access tracker shows [Machine Authenticated] and [User Authenticated] in the Roles.

I wanted to be sure that a user logon (without machine auth) would not result in the authenticated role being assigned.  On my test laptop, I disabled wifi, cleared the IP from the user table, then enabled wifi.  It's getting the authenticated role when it should be denied (no enforcement policy to match only [user authenticated]).  I'm not sure if CPPM is caching the machine state, but access tracker shows [machine authenticated] and [user authenticated].  I should only be passing user authentication, so I'm not sure what's going on.

CPPM does cache the machine authentication state for a certain amount of time, and it resets the timer every time there is a successful user authentication from that mac address.

The time it caches is at Administration> Server Manager> Server Configuration> Click on the Server> Service Parameters:

Ahh, well that makes sense.

I tested connectivity with some non-windows devices and received the user role (created an enforcement policy/profile as a test) as expected.  Very good!

I added an additional condition below to my enforcement profile that matches [machine authenticated] and assigns a machine role so that the computer will have basic network connectivity while at the logon screen and during the logon process.

Thanks everyone for the assistance!

Sorry, one more question...

The policy I created requires machine + user auth in order to enforce the authenticated role.  If the computer is on wireless for 24+ hours, will it maintain the authenticated role or will ClearPass deauth the computer because the machine auth caching (24 hours) has expired?  I'd like to know if I need to extend the length of machine caching so users don't have to reboot or hit the logon screen to machine auth every day.

---

@thecompnerd wrote:

Sorry, one more question...

 

The policy I created requires machine + user auth in order to enforce the authenticated role.  If the computer is on wireless for 24+ hours, will it maintain the authenticated role or will ClearPass deauth the computer because the machine auth caching (24 hours) has expired?  I'd like to know if I need to extend the length of machine caching so users don't have to reboot or hit the logon screen to machine auth every day.

---

The machine authenticated timer resets itself every time that device authenticates, whether it is machine or user.  If a user is on for less 24 hours, it will  mark itself as machine authenticated every time the user authenticates successfully to cppm, and the timer is then reset.  It does not require a machine authentication past the initial machine auth.  If it does not authenticate, period for 24 hours, it needs to machine authenticate all over again.

So the machine auth timer within clearpass is reset as long as the user is logged into the machine and using the wireless network?  Where can you see the list of authenticated machines?

It is reset to the machine authentication cache everytime the device authenticates, whether it be user or machine.  Assuming the user is logged into the machine, presumably the device periodically authenticates and resets the cache timer.

There is no way to see the cached devices.

Do PM cluster members share the machine auth cache? Just curious to know if I'll be able to roam between our campuses without having to machine auth.

---

@thecompnerd wrote:

Do PM cluster members share the machine auth cache? Just curious to know if I'll be able to roam between our campuses without having to machine auth.

---

Yes.

ok, very limited testing, but what I'm seeing is the following.

The first time a laptop connects to the wifi, when set to 'user OR computer' it only does a user-auth.

If I change it to 'computer auth', it does a machine-auth as expected.  When it is changed back to 'user or computer' auth, it then does both....machine first, then user.

Sounds like a Windows issue, but definately Access Tracker in CP is only showing the user-auth during those first attempts.

When computer OR user is enabled:

- The Machine only attempts authentication when the station is booting up, or logging out of the user context.

- The user authentication is attempted only when the user is logging in or if the wifi interface is enabled when the user is already logged in.

That is the way it is supposed to work.

Computer only will only authentication with computer credentials.

got it.  That makes sense now.

:smileyhappy:

I tried that rule, but the domain machines only seem to fall into machine auth role.

Tried different settings in Windows as well.  Should it be auth-type 'user or computer authentication'?

Yes, it should be user OR computer

I don't think that is possible in CPPM.  That is the function of the 'enforce machine authentication' option on the controller in the dot1x profile.     If CPPM can do this on its own, I'd be interested in this as well.

From your last post, it looks like CPPM is still assigning the role.    Double check your last logon in Access Tracker; look at the output tab; is a role being assigned there?  You can also verify the enforcemnt policy being applied for that logon.