Security

Reply
New Contributor
Posts: 2
Registered: ‎03-13-2014

Force 802.1x User Authentication (deny machine authentication) with Cisco WLCs and ClearPass

We have Cisco APs and WLCs that use CPPM for 802.1x Radius Authentication. Depending on how the user sets up their wireless profile, the authentication can either be machine or user. We would like to set up CPPM to only allow user-based authentication. Any suggestions for how to accomplish this? 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Force 802.1x User Authentication (deny machine authentication) with Cisco WLCs and ClearPass

[ Edited ]

What is the backend?  AD? 

 

You can setup a Enforcement Policy that look for group memberships.  You can deny by default, and then allow access to those that are NOT members of "Domain Computers"; a default group that all AD machines are members of.

 

 

 cppm-allow-no-computers.png

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Force 802.1x User Authentication (deny machine authentication) with Cisco WLCs and ClearPass

You could also do this at the service level by adding these conditions (substitute domain.com with your AD domain).  This will force the request not to match a service:

 

cppm-allow-no-computers-svc.png

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Force 802.1x User Authentication (deny machine authentication) with Cisco WLCs and ClearPass

Are these machines joined to your AD domain? If not, they should never pass machine authentication in the first place.

 

If they are, you can simply say:

 

TIPS:Role     EQUALS      [Machine Authenticated]            [Deny Access Profile]


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 34
Registered: ‎11-06-2012

Re: Force 802.1x User Authentication (deny machine authentication) with Cisco WLCs and ClearPass

I have done this with this except I would put in 

 

TIPS:Role     EQUALS      [Machine Authenticated]            [Drop Access Profile]

 

The Drop Acess seems to make windows send it's user creds instead of it's machine creds.  Also you don't run up your failed auth totals.  

 

Really the best way to do accomplish this is to set push a GPO with user authentication and the certificate info.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: