Security

Reply
New Contributor

MACHINE AUTHENTICATION - USER AUTHENTICATION

Good morning, I'm configuring 802.1x wireless with my windows 7 devices that are registered in a controller domain. However, I have the following drawback.

The device connects as first authentication as [MACHINE AUTHENTICATION], and after windows is prompted for user credentials, in ClearPass I do not see user authentication.

I made the configuration of the network card from a GPO with the following:


The ClearPass configuration is found this way.

Could they help me to know what may be happening?

Note: I have a mobility controller and this is with EAP-PEAP authentication
112233445566

Guru Elite

Re: MACHINE AUTHENTICATION - USER AUTHENTICATION

Remove Single Sign On from the supplicant configuration. Also, you need to properly configure EAP server validation or all of your users credentials are at risk.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: MACHINE AUTHENTICATION - USER AUTHENTICATION

Hello, we have also configured without the single sign on and we are not successful either. What do you mean by EAP server validation validation

Guru Elite

Re: MACHINE AUTHENTICATION - USER AUTHENTICATION

Ensure that pass through authentication is enabled.

 

You need to configure server certificate validation. Currently you have it disabled and are running in an incredibly insecure setup.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: MACHINE AUTHENTICATION - USER AUTHENTICATION

Ok, I'm going to make that variant, a query, but regardless of whether or not this option is enabled, should I not see in clearpass user authentication and not just machine?

 

7.png

Re: MACHINE AUTHENTICATION - USER AUTHENTICATION

If you get a password prompt and don't see an entry in Access Tracker, it could be that the ClearPass service has too many filters, or you have not enabled the Windows Sign On that you probably tried to configure with the SSO settings. This is how your GPO should look like:

2017-10-06 14_06_09-192.168.32.11 - Remote Desktop Connection.png

In 2, that is the validation that Tim mentioned, make sure the red-boxed entries are all set, however, change it to the name and CA of your own RADIUS certificate.Then in the 3rd window, tick that Windows should re-use the credentials that you logged in with.

 

Check this video to see what happens if you don't set the certificate validation.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: