Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Machine Authentication

I'm looking for some help on setting up machine authentication.

We are upgrading our wireless network. Our current setup does not enforce machine authentication. We would like to enable this on our new setup. In testing, we can get machine authentication to work with the following steps:

1. User logs on to Windows at ctrl-alt-del screen
2. Computer is authenticated
3. User connects to wireless ssid
4. User can browse network resources

With these steps, the computer must already be connected to the wireless network prior to step 1, otherwise machine authentication does not kick in and when the user connects to the wireless network, they are placed in the auth role and cannot access network resources. Is this the way machine authentication should work?

The issue we have is that users will frequently have the wireless adapter disabled, especially if they are in an office and use a wired connection instead of the wireless. They will then go to another office or in to a meeting room and use the wireless network. They will then logon to Windows with cached credentials and then connect to the wireless network. As we do not have machine authentication this works.

How would we achieve machine authentication in this scenario? Is it possible? Is there another method to prevent non-domain computers to connect to our wireless network?

Guru Elite
Posts: 20,981
Registered: ‎03-29-2007

Re: Machine Authentication

What are you using to enforce the machine authentication?  

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 148
Registered: ‎11-25-2009

Re: Machine Authentication

The machine auth kicks in only when there is a logout/login or restart. 

 

In normal scenario if the client boots up and does the achine auth, the controller will cache the machine info for 24 hrs. so when ever he does user w/l reauth or sleep or hybernate, the cache info will kickin and authenticates the user. 

 

when they just enable the w/l nic, the machine auth will not be iniciated by the clients, so clients will only pass the user auth and fall into "machine auth- user role" not dot1x default role. 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Machine Authentication

We are using IAS for our authentication. It checks the computer is a member of the "Domain Computers" group.

Frequent Contributor II
Posts: 113
Registered: ‎11-27-2012

Re: Machine Authentication

One way you should be able to prevent non-domain computers to connect to your wireless network is by using Certificates for 802.1x authentication.

 

To do this you would need a Certificate Authority Server if you don't already have one (MS-Server OS can do this for example).

Then you need to distribute the certificates to every domain computer by using GPO or something else.

 

In the Aruba Controller you would then set up your AAA profile for the ssid to use EAP-TLS for authentication.

-----------------------------------
-ACMX #352-
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor II
Posts: 17
Registered: ‎01-17-2013

Re: Machine Authentication

Yes, using certificates is what we were thinking and that would be one to prevent other devices from connecting. Happy with that.

 

However, it does not solve the problem of connecting and authenticating to the wireless network after logging on to windows. Is this even possible?

Guru Elite
Posts: 20,981
Registered: ‎03-29-2007

Re: Machine Authentication

roysm,

 

IAS cannot use both the Machine and User Authenticated status of a device to determine access.  It sees the user and the machine authentication as two separate distinct authentications and does not allow you to know or permit access based on both.

 

If you have to use IAS, the best thing you can do is use "Enforce Machine Authentication" in ArubaOS.  It will allow you selective control based on (1) a user passing authentication (2) a machine passing authentication (3) both user and machine passing authentication.

 

Here is a KB article on how Machine Authentication works in principle:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-801

 

The Enforce Machine Authentication option is in the Advanced Tab of the 802.1x profile of your SSID.  Please search the ArubaOS user guide for "enforce" for the full explanation on how to use this.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: Machine Authentication

I'd like hang in on this topic:

 

Our customer is using MS Radius (NAP Server 2008) for AAA. They require authentication of domain machines (=machine authentication) as well as non-domain machines (i.e. mobile devices, linux desktops, etc.). Non-domain devices have been registered in their AD with the MAC address as username and password (= normal user accounts with dial in allow rights).

Now ,on connecting to the Aruba WLan the following should be processed:

  • Domain User credentials correct and Domain Machine correct = authentication is passed. Then, if the machine is part of a certain windows group, VLAN X should be assigned, if not, VLAN Y should be applied
  • if Domain User auth. fails and/or machine auth fails, the access to the WLAN should be blocked (so no access with private mobile devices to wireless). However, some mobile devices should get access (after registration via their MAC address)

I have tried to configure this with using "enforce machine authentication" to get the MS Radius to see the machine login as username/password with MAC of the device. However, as it seems, the controller never passes the machine credentials to the Radius but only tried to look it up in it's local database. Reading other posts here in the forumsI understand that this is the default behavior of the controller, looking for cached credentials of formerly successfully authenticated windows domain machines.

I was hoping that maybe there is a way to get the controller send the machines credentials to the Radius instead of looking in the local DB?

Ot the other way around: is there some way to configure the customers request with using the Aruba controller and MS Radius/NAP-Server?

 

TIA for comments/thoughts

 

Kind regards

Guru Elite
Posts: 20,981
Registered: ‎03-29-2007

Re: Machine Authentication

Why bother with mac addresses?  Machine authentication is the most secure authentication possible because only the domain and the machine knows the credentials.  Adding mac addresses into it just complicates things.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 13
Registered: ‎12-08-2011

Re: Machine Authentication

 

 

Machine-Authentication =   * Dot1x-Authentication done using machine-credentials 

                                                    and its done  during pre-login (ex: client logs-off,restart and before client login to the system will

                                                    trigger machine-authentication " if " configured on the client).

                                                 * If Machine-auth is successful, AOS caches the credential of machine (MAC-Address of the client) to

                                                    local-userdb & machine-cache. client is placed in machine-role (configured in dot1x profile)

 

User-Dot1x-Authentication =   *  Dot1x-Authentication done when user logs in to the system

                                                      *  While doing user-dot1x-authentication, we check for the previous machine-authentication state by

                                                          querying machine-cache, and local-userdb (if machine-cache is expired). If found, we treat client

                                                          has passed machine-authentication earlier and honor the role or vlan derivation, else place 

                                                          the  client in machine-auth user-default-role (configured in dot1x profile).

 

Increasing the machine-cache timeout to larger value prevents the domain-client for doing machine-auth frequently by logoff / restart everytime ; and prevents the non-domain clients getting into reserved user-role / vlan.

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: