Security

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

Enforce Machine Authentication

I have a test environment setup, using ClearPass 6.X and an Aruba controller.  I've setup a policy that needs to verify both the user and computer are in the domain.  The computer and user authenticate just fine, but there seems to be a problem with my  enforcement policy.  I have 2 conditions:

 

Tips: Role EQUALS [user authenticated] > User Role

Tips: Role EQUALS [Machine Authenticated] > Machine role.

 

The user role profile enforces a user role and the machine role profile enforces a machine role.  The machine authenticates properly and receives the machine role.  Then, the user authenticates and receives the user role.  My expectation was that since the machine authenticated and then the user authenticated that the controller would assign the default dot1x role.  I have this working properly with a Windows NPS server.  However, this isn't happening with ClearPass.  Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Enforce Machine Authentication

So is User Role defined as a RADIUS Enforcement profile in CPPM? If you select it does it show Action: Accept  ?

 

You can also try to add an attribute as follows:

 

Type: Radius:Aruba

Name: Aruba-User-Role

Value: <NameOfArubaRoll>

 

 

-------------------
ACDX, ACCP, CISSP, CWNA
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Enforce Machine Authentication

[ Edited ]

Yes, my enforcement profiles contain the user role and machine role.

 

In production with my Win NPS server, the following happens:

 

1. Machine authenticates > machine role assigned

2. User authenticates > authenticated role assigned (default dot1x role)

 

In my test CPPM lab, the following happens:

 

1. Machine authenticates > machine role assigned

2. User authenticates > user role assigned

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Enforce Machine Authentication

So, I assume you have 'enforce machine authentication' setup on the dot1x authentication profile, correct?  

 

Regardless, a server derived rule (from CPPM in this case) is going to override the defualt dot1x role; so the response from CPPM is going to overwrite the default dot1x role if machine/user authentication pass.   If you want to use the user/machine/default roles of the dot1x profile, then do not apply any Aruba-User-Roles in the CPPM enforcment profile/policies; just allow them to pass.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Enforce Machine Authentication

Yes, enforce machine authentication is checked.

 

If I remove the enforcement policy that I created from the service and select the [sample allow access profile], the user is getting fully authenticate without having to machine authenticate first.  To test this, I disabled wifi and deleted the MAC from the user table.  Then, I re-enabled wifi.  I checked the controller and had the authenticated role, when I should've had the user role.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Enforce Machine Authentication

try your test again, but in addition to your steps run the following to make sure you remove the user fully form the user table:

 

aaa user delete <ip.of.client>

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Enforce Machine Authentication

Same result.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Enforce Machine Authentication

Run the follow to see how the user got that role.

 

show user ip <ip of user>

 

Look for the line that says:

Role Derivation:

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Enforce Machine Authentication

Role Derivation: default for authentication type 802.1x

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Enforce Machine Authentication

Uncheck enforce machine authentication and allow CPPM to assign the roles.  Enforce Machine authentication changes the rules...

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: