Security

We have Cisco APs and WLCs that use CPPM for 802.1x Radius Authentication. Depending on how the user sets up their wireless profile, the authentication can either be machine or user. We would like to set up CPPM to only allow user-based authentication. Any suggestions for how to accomplish this? 

What is the backend?  AD? 

You can setup a Enforcement Policy that look for group memberships.  You can deny by default, and then allow access to those that are NOT members of "Domain Computers"; a default group that all AD machines are members of.

You could also do this at the service level by adding these conditions (substitute domain.com with your AD domain).  This will force the request not to match a service:

Are these machines joined to your AD domain? If not, they should never pass machine authentication in the first place.

If they are, you can simply say:

TIPS:Role     EQUALS      [Machine Authenticated]            [Deny Access Profile]

I have done this with this except I would put in 

TIPS:Role     EQUALS      [Machine Authenticated]            [Drop Access Profile]

The Drop Acess seems to make windows send it's user creds instead of it's machine creds.  Also you don't run up your failed auth totals.  

Really the best way to do accomplish this is to set push a GPO with user authentication and the certificate info.

I ran into this too. I found it was doing machine auth by accident. This is a security device so "machine auth is on by default" shouldn't be a thing at all. The job of Clearpass should be to say NO unless the admin specified a rule that says YES.

We have a GPO and all that for our wifi.. however, I noticed it when I manually configured on a test laptop that doesn't have the gpo applied and it authenticated without putting in creds and it didn't have the "use windows creds" box checked.

It's fixed and works but I couldn't disagree with Aruba's approach more.