Security

Reply
Contributor II
Posts: 45
Registered: ‎05-06-2013

Enforcing Machine Auth

Hi all,

 

 

I am trying to get machine auth to work in the lab with cppm 6.3 and a 620 controller running 6.3.1.1

 

I can get it to work initially but if the station is disconnected or if I do a "aaa user delete" it fails (user) authentication on the reconnect.

 

I suspect it works as the initial auth was machine (on OS boot) and it changed to the users credentials when login on to the workstation. Which is the normal for Windows.

 

Any ideas on if its possible to get it working without changing the default authentication mode to Computer in the 802.1x settings?

 

A screen shot of my enforcement policy on the service (probably not the best way to do this), the “Certificate:Issuer-DN  CONTAINS  ClearPass” is to allow EAP-TLS

 mach_enforce.JPG

 

thanks

 

Andy

Guru Elite
Posts: 21,492
Registered: ‎03-29-2007

Re: Enforcing Machine Auth

What kind of encryption are you using?

What EAP Type are you using?

Exactly what are you trying to do?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 45
Registered: ‎05-06-2013

Re: Enforcing Machine Auth

Hi 

 

P-EAP with MsChap and EAP-TLS (WPA2/AES)

 

Basically want to enforce machine auth to keep non Active Directory workstations and non byod devices off the "main" SSID.

 

 

service.JPG

Guru Elite
Posts: 21,492
Registered: ‎03-29-2007

Re: Enforcing Machine Auth

Okay.  Take a look at the resolution to the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/m-p/58918/highlight/true#M4585

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 45
Registered: ‎05-06-2013

Re: Enforcing Machine Auth

I saw that which is what i based my enforcement policy on and i could log on with an android using P-EAP.

 

but I just tried and again and I can not log on with the android using P-EAP :smileyembarrassed:

 

 

 

Guru Elite
Posts: 21,492
Registered: ‎03-29-2007

Re: Enforcing Machine Auth

If tips role does not equal [machine authenticated] then denyall enforcement profile.  It is that simple, if you want to deny non-machine authenticated devices.

 

Machine authentication only occurs when you log out of a machine and when it boots up at the ctrl-alt-delete screen.  This is when you have user or computer on the Advanced IEEE settings on a machine.  It is cached, so that status will be stored in CPPM, even if user authentication occurs later.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 45
Registered: ‎05-06-2013

Re: Enforcing Machine Auth

thanks, I must have done something wrong the first time round as it is working as expected with the policy setup as follows;

 

 

enforce.JPG

Search Airheads
Showing results for 
Search instead for 
Did you mean: