Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎12-12-2012

Mac eap-tls machines authenticating as 8021x-User

I'm trying to fit Mac's to our wireless network (once again). I have joined my Macbook (OSX 10.11) to AD with Centrify Direct Control. I have succesfully distributed machine certificates to Macs and created a GPO to enforce machine authentication (with Centrify). This was pretty straight forward.

 

Problem is that my Macbook authenticates to the network as 8021x-User even with machine certificate. I'm not sure weather this is a problem in Centrify DC or Aruba. Is there a way to tell the controller that this is actually a machine not a user. RADIUS Attribute maybe? How does the controller even know what authentication comes from a machine and what from user?

 

8021x-Machine authentication works with windows machines.

 

Anyone else havin same problems?

 

I'm running AOS 6.4.2.0. Radius server is Windows server 2008 R2 NPS.

 

Thanks in advance for any help.

 

--Mikko--

Guru Elite
Posts: 20,772
Registered: ‎03-29-2007

Re: Mac eap-tls machines authenticating as 8021x-User

Windows machines use the username host/<username> to authenticate as a machine.  The controller only marks devices whose usernames begin with host/ as a machine.

 

All devices that passed machine authentication are in the local user database of the controller.  You can add an entry in the user database for the mac address of the mac as a workaround.  Make sure it is in the same format.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Mac eap-tls machines authenticating as 8021x-User

ClearPass would allow you to write more advanced network access policies
than NPS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 14
Registered: ‎12-12-2012

Re: Mac eap-tls machines authenticating as 8021x-User

Thanks for the fast reply.

This could works as a workaround but does not solve my problem. How can i add this client to internal database?

 

Where is this /host username comming from? Does the controller read it from the client certificate?

 

 

Occasional Contributor II
Posts: 14
Registered: ‎12-12-2012

Re: Mac eap-tls machines authenticating as 8021x-User

Actually i got this working... kind of. I used Service principal name for the alt name generation. In AD i made sure only host/hostname -record is in the service principal attribute by deleting the rest. I dont know if this will cause other problems. However now i have a different problem. This one is a Centrify one. Its been discussed on Centrify community here: http://community.centrify.com/t5/Centrify-Server-Suite/WiFi-Machine-authentication-on-OSX-El-Capitan/m-p/23379#M759

 

This has been bugging me for a long time. Now i'm almost there.

Search Airheads
Showing results for 
Search instead for 
Did you mean: