Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Mac eap-tls machines authenticating as 8021x-User

This thread has been viewed 3 times

  • 1.  Mac eap-tls machines authenticating as 8021x-User

    Posted May 03, 2016 07:46 AM
      |   view attached

    I'm trying to fit Mac's to our wireless network (once again). I have joined my Macbook (OSX 10.11) to AD with Centrify Direct Control. I have succesfully distributed machine certificates to Macs and created a GPO to enforce machine authentication (with Centrify). This was pretty straight forward.

     

    Problem is that my Macbook authenticates to the network as 8021x-User even with machine certificate. I'm not sure weather this is a problem in Centrify DC or Aruba. Is there a way to tell the controller that this is actually a machine not a user. RADIUS Attribute maybe? How does the controller even know what authentication comes from a machine and what from user?

     

    8021x-Machine authentication works with windows machines.

     

    Anyone else havin same problems?

     

    I'm running AOS 6.4.2.0. Radius server is Windows server 2008 R2 NPS.

     

    Thanks in advance for any help.

     

    --Mikko--



  • 2.  RE: Mac eap-tls machines authenticating as 8021x-User

    EMPLOYEE
    Posted May 03, 2016 07:50 AM

    Windows machines use the username host/<username> to authenticate as a machine.  The controller only marks devices whose usernames begin with host/ as a machine.

     

    All devices that passed machine authentication are in the local user database of the controller.  You can add an entry in the user database for the mac address of the mac as a workaround.  Make sure it is in the same format.



  • 3.  RE: Mac eap-tls machines authenticating as 8021x-User

    Posted May 03, 2016 08:05 AM

    Thanks for the fast reply.

    This could works as a workaround but does not solve my problem. How can i add this client to internal database?

     

    Where is this /host username comming from? Does the controller read it from the client certificate?

     

     



  • 4.  RE: Mac eap-tls machines authenticating as 8021x-User

    Posted May 04, 2016 05:35 AM

    Actually i got this working... kind of. I used Service principal name for the alt name generation. In AD i made sure only host/hostname -record is in the service principal attribute by deleting the rest. I dont know if this will cause other problems. However now i have a different problem. This one is a Centrify one. Its been discussed on Centrify community here: http://community.centrify.com/t5/Centrify-Server-Suite/WiFi-Machine-authentication-on-OSX-El-Capitan/m-p/23379#M759

     

    This has been bugging me for a long time. Now i'm almost there.



  • 5.  RE: Mac eap-tls machines authenticating as 8021x-User

    EMPLOYEE
    Posted May 03, 2016 07:58 AM
    ClearPass would allow you to write more advanced network access policies
    than NPS.