Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

This thread has been viewed 1 times

  • 1.  Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

    Posted Nov 21, 2017 12:56 PM

    We are using VIA  (v3.2) for remote access on Windows 10 laptops.  We authenticate using User certificates which is working fine.

     

    We have configured domain pre-connect on the VIA client profile so that Users of the VPN can log off and change passwords etc.

     

    The problem is that when Clearpass authenticates the Machine cert. against AD it drops the host/ from the front of the machine name.  It appears AD then tries to authenticate the laptop as a user and the authentication fails.

    There is also an automatic TIPS role of [User Authenticated] generated.

     

    Using the same machine cert on a WiFi or Wired (both 802.1x) connection Clearpass asks AD to authenticate with the host/ prefix intact and a TIPS role of [Machine Authentication].  This authenticates correctly.

     

    Has anyone any idea why we lose the prefix using VIA.



  • 2.  RE: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

    EMPLOYEE
    Posted Nov 21, 2017 01:19 PM

    In the service used to authenticate VIA, under the authentication tab, do you have "strip username" rules enabled?



  • 3.  RE: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

    Posted Nov 22, 2017 03:26 AM

    We do strip everything the @companyname.com from the users.  The machine names don't have the @.



  • 4.  RE: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

    EMPLOYEE
    Posted Nov 21, 2017 01:21 PM
    The host/ prefix is appended by the Windows 802.1X supplicant only.


  • 5.  RE: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

    Posted Nov 22, 2017 03:29 AM

    I think I'm missing something fundemental here.  Do you know how the TIPS Roles are determined as User or Machine.  I thought this was from the certificate contents.