Security

Hi all,

I am trying to get machine auth to work in the lab with cppm 6.3 and a 620 controller running 6.3.1.1

I can get it to work initially but if the station is disconnected or if I do a "aaa user delete" it fails (user) authentication on the reconnect.

I suspect it works as the initial auth was machine (on OS boot) and it changed to the users credentials when login on to the workstation. Which is the normal for Windows.

Any ideas on if its possible to get it working without changing the default authentication mode to Computer in the 802.1x settings?

A screen shot of my enforcement policy on the service (probably not the best way to do this), the “Certificate:Issuer-DN  CONTAINS  ClearPass” is to allow EAP-TLS

thanks

Andy

What kind of encryption are you using?

What EAP Type are you using?

Exactly what are you trying to do?

Hi 

P-EAP with MsChap and EAP-TLS (WPA2/AES)

Basically want to enforce machine auth to keep non Active Directory workstations and non byod devices off the "main" SSID.

Okay.  Take a look at the resolution to the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/m-p/58918/highlight/true#M4585

I saw that which is what i based my enforcement policy on and i could log on with an android using P-EAP.

but I just tried and again and I can not log on with the android using P-EAP :smileyembarrassed:

If tips role does not equal [machine authenticated] then denyall enforcement profile.  It is that simple, if you want to deny non-machine authenticated devices.

Machine authentication only occurs when you log out of a machine and when it boots up at the ctrl-alt-delete screen.  This is when you have user or computer on the Advanced IEEE settings on a machine.  It is cached, so that status will be stored in CPPM, even if user authentication occurs later.

thanks, I must have done something wrong the first time round as it is working as expected with the policy setup as follows;