05-03-2016 04:46 AM
I'm trying to fit Mac's to our wireless network (once again). I have joined my Macbook (OSX 10.11) to AD with Centrify Direct Control. I have succesfully distributed machine certificates to Macs and created a GPO to enforce machine authentication (with Centrify). This was pretty straight forward.
Problem is that my Macbook authenticates to the network as 8021x-User even with machine certificate. I'm not sure weather this is a problem in Centrify DC or Aruba. Is there a way to tell the controller that this is actually a machine not a user. RADIUS Attribute maybe? How does the controller even know what authentication comes from a machine and what from user?
8021x-Machine authentication works with windows machines.
Anyone else havin same problems?
I'm running AOS 18.104.22.168. Radius server is Windows server 2008 R2 NPS.
Thanks in advance for any help.
05-03-2016 04:49 AM
Windows machines use the username host/<username> to authenticate as a machine. The controller only marks devices whose usernames begin with host/ as a machine.
All devices that passed machine authentication are in the local user database of the controller. You can add an entry in the user database for the mac address of the mac as a workaround. Make sure it is in the same format.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
05-03-2016 04:58 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
05-03-2016 05:04 AM
Thanks for the fast reply.
This could works as a workaround but does not solve my problem. How can i add this client to internal database?
Where is this /host username comming from? Does the controller read it from the client certificate?
05-04-2016 02:34 AM
Actually i got this working... kind of. I used Service principal name for the alt name generation. In AD i made sure only host/hostname -record is in the service principal attribute by deleting the rest. I dont know if this will cause other problems. However now i have a different problem. This one is a Centrify one. Its been discussed on Centrify community here: http://community.centrify.com/t5/Centrify-Server-S
This has been bugging me for a long time. Now i'm almost there.