Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Machine authentication on 3200 ArubaOS 6.1.2.3

This thread has been viewed 0 times

  • 1.  Machine authentication on 3200 ArubaOS 6.1.2.3

    Posted Nov 29, 2012 05:52 AM

    Hey,

     

    I've been fighting with setting up 802.1x on our wireless network the past few days.

     

    I'm trying to authenticate systems and users via RADIUS (Server 2008 R2 IAS). Part of this solution is working. I am able to access my network using my windows domain user/password.

     

    However, I'm not being assigned the correct role on the Aruba controller. It just gives me the guest role with the NoLocalAccess policy attached to it. I wrote that to be a quite strict policy so basicly all I can do is access internet through our gateway.

    I'm getting these errors.

     

    Nov 29 11:58:53localdb[1568]: <133019> <ERRS> |localdb| User 00:1d:e0:98:71:05 was not found in the database
    Nov 29 11:58:53localdb[1568]: <133006> <ERRS> |localdb| User 00:1d:e0:98:71:05 Failed Authentication
    Nov 29 11:58:54localdb[1568]: <133019> <ERRS> |localdb| User 00:1d:e0:98:71:05 was not found in the database
    Nov 29 11:58:54localdb[1568]: <133006> <ERRS> |localdb| User 00:1d:e0:98:71:05 Failed Authentication
    Nov 29 11:58:59authmgr[1565]: <124006> <WARN> |authmgr| {644} TCP srcip=10.1.1.76 srcport=4258 dstip=10.1.1.26 dstport=13000, action=deny, role=guest, policy=NoLocalAccess

     

    So, what config have I set up?

    I've got 2 User Roles: PurnaPC and PurnaUser. Both are set to the allowall/ firewall policy.

     

    The RADIUS server is configured in a Server Group called ISA and has one rule applied.

    • Attribute: Class
    • Operation: value-of
    • Type: string
    • Action: set role

    My 802.1X Authentication Profile (dot1x) has the following settings

    • Enforce Machine authentication: Enabled
    • Machine Auth: Default Machine Role: PurnaPC
    • Machine Auth: Default User Role: guest

    Moving on to AAA profiles. My profile aaa_dot1x contains the following settings

    • Initial role: login (this was default)
    • MAC Authentication Default Role: PurnaPC
    • 802.1X Authentication Default Role: PurnaUser
    • The 802.1X authentication profile is set to the above dot1x
    • 802.1X Authentication server group: ISA

    On that RADIUS server there are 2 Network Policies active. One is Wireless-PurnaPC and the other is Wireless-PurnaUser

    The condition on Wireless-PurnaPC (processing order 1) is set to Domain Computers and is set to return the Class attribute PurnaPC. The condition on Wireless-PurnaUser (processing order 2) is Domain Users, this one is also set to return the Class attribute PurnaUser.

     

    Can anybody tell me what I've done wrong or where I have to look? I've gone over the settings a thousand times and I'm beginning to feel quite lost.


    #3200


  • 2.  RE: Machine authentication on 3200 ArubaOS 6.1.2.3
    Best Answer

    EMPLOYEE
    Posted Nov 29, 2012 06:02 AM

    Uncheck "Enforce Machine Authentication" in the 802.1x profile.  Radius attributes are ignored when you have "Enforce Machine Authentication" checked UNLESS a device has passed both user AND machine authentication.  

     

    There is no way to check BOTH the user and machine status from Windows 2008 server.

     

    What are you trying to do?

     



  • 3.  RE: Machine authentication on 3200 ArubaOS 6.1.2.3

    Posted Dec 04, 2012 10:41 AM

    The basic idea was to set up 802.1x. I started following the example described in the ArubaOS manual.

     

    I've got it working now, apparantly I was using the wrong policies on the radius. Using a document I found in one of the other threads concerning 802.1x got my setup working.