Security

Reply
New Contributor

LAN to WLAN user+machine auth without user logoff+logon

Dear Community,

 

I'd like your help with a questions.

Scenario:

ClearPass(CPPM only)+S1500+IAP205

When the user is on LAN, user+machine auth works. The problem is, that when the user pulls out the cable and connects to the wifi, no machine is made, unless the user logs off and in again.

In BIOS is defined not to allow both LAN and WLAN at the same time.

 

Target:

User+machine auth when changing from LAN to WLAN, WITHOUT user interaction.

 

Is this possible?

 

Thank you all.

Guru Elite

Re: LAN to WLAN user+machine auth without user logoff+logon

WLAN and Wired have different mac addresses, is why you have the problem.  There is no way to tie both together, so the machine authentication of each medium would have to be done individually, which is cumbersome.  If you configured machine-only authentication for those devices, you would sidestep that issue, because the devices would do machine authentication every time.  The user would still need valid credentials to get into the machine, but the user would not be authenticating to the wireless; an authorized machine would be...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: LAN to WLAN user+machine auth without user logoff+logon

EDIT:already answered

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor

Re: LAN to WLAN user+machine auth without user logoff+logon

Hi,

 

is this the same if we use EAP-TLS, so certificates?

 

Thank you.

Guru Elite

Re: LAN to WLAN user+machine auth without user logoff+logon


balazsracz@biztributor wrote:

Hi,

 

is this the same if we use EAP-TLS, so certificates?

 

Thank you.


You can use machine-only  (Computer Only) authentication with either PEAP (username and password) or EAP-TLS (certificates).  In the PEAP scenario, the machine uses its hostname as a username and its SID (security identifier) as a password.  On Windows you can configure machine-only authentication under Advanced Settings and IEEE or using group policy.  You would then have the option to use PEAP or EAP-TLS (Certificate or SmartCard).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: LAN to WLAN user+machine auth without user logoff+logon

Your only other option (although not as secure) is to import all of the MAC addresses of your devices and flag them with a custom attribute that can be used during a policy decision.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: