Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎10-08-2014

Machine Authentication

Hi Everyone..

 

I am trying to be able to have a domain based laptop authenticate a user that has never logged into the laptop before.  The Windows laptop is in the domain, i have checked the box to enforce machine authentication, but in the logs on the controller I am seeing the MAC address of the machine trying to log into the controller locally.

 

If I test with an account that has logged into the laptop prior, I am able to associate to the SSID without issue using RADIUS.  I am not having a problem with that.

 

I need to be able to get the machine (the laptop) to associate to the SSID prior to any user logon so as I can then get the user that has never logged in prior to authenticate properly!  I have played with the profiles, but either I am missing something or need to change the profile becasue I can't seem to find the way to "tell" the incoming machine association to use RADIUS.

 

What have I missed?

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Machine Authentication

Do you have a policy on your RADIUS server allowing Domain Computers to authenticate?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎10-08-2014

Re: Machine Authentication

I have the default RADIUS piece, but have read what you are talking about.  So, in other words, if I am reading into what you are saying: If I dont have the policy setup on the NPS server it will default to local on the controller?  I guess where I am going with this, is shouldnt I see teh machine failing against radius first on NPS and on the controller?

 

The only error i am seeing is on the controller where is is basically saying <ERRS> |localdb|  User a0:88:xx:xx:xx:48 Failed Authentication..

 

I will go to NPS now and add the policy..

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Machine Authentication

Sounds like you have the Internaldb set as your server-group.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎10-08-2014

Re: Machine Authentication

Well, maybe looking at the wrong spot on the GUI, but the profile (which includes the user autehntication) has the policy to go to radius.  In the profiles to use a machine, where and which attribute needs changed?  

 

Basically, I have a profile built that is using radius for the user, I have checked the box to enforce machine authentication, is this not all of it?

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Machine Authentication

Can you post your AAA profile?

 

Also, here's an explanation of how the local-userdb is involved in machine authentication.

 

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎10-08-2014

Re: Machine Authentication

Here is the profile I have (again the user side is working great) - but that user has had to have logged in wired first...

 

aaa profile "hir-adauth-profile"
   mac-default-role "authenticated"
   mac-server-group "hir-adauth-802.1x-server-group"
   authentication-dot1x "hir-adauth-802.1x-profile"
   dot1x-default-role "authenticated"
   dot1x-server-group "hir-adauth-802.1x-server-group"

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Machine Authentication

OK. Once you allow "Domain Computers" on your RADIUS server, this should start working correctly.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎10-08-2014

Re: Machine Authentication

Ok - so got an error at least on the radius server, now have to dig to undersatnd why.  The PC i am using is in the domain, but the error I am seeing is:

 

Authentication was not successful because an unknown user name or incorrect password was used.  

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Machine Authentication

Do you have termination done at the controller or your radius server?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: