Security

Reply
Frequent Contributor I
Posts: 84
Registered: ‎09-08-2015

Onboard - Machine auth for BYOD PCs

We've been using 802.1x wired auth for some time, with user authentication only - certs and settings issued by Onboard


Our wired ports have MAC authentication bypass, so when a BYOD machine connects, at logon screen it gets dumped into the guest VLAN.

 

For some reason, when the user actually logs in, re-authentiction doesn't seem to occur so the user stays in the guest VLAN.

 

I noticed there is a 'machine and user' auth setting in the Network Settings -> Authentication page in the Onboard configuration.

 

I've enabled this, and the cert is pushed to the local computer certificate store, however the computer tries to authenticate using 'host\<Firstname> >Lastname>, rather than UPN (like user auth).

This causes auth to fail.

 

I can't seem to find where I can change the username, or allow these sorts of authentication attempts?

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Onboard - Machine auth for BYOD PCs

Machine auth will always use the host format. That is how it is designed.
Who is issuing each certificate?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 84
Registered: ‎09-08-2015

Re: Onboard - Machine auth for BYOD PCs

We use ADCS to issue the certs, the setting below just copies the cert into the Computer store as well, and changes the authentication settings to 'User or Computer' authentication.

snip_20160824083543.png

 

Is there a way to get the AD auth source to ignore the 'host' and just lookup the user?


What is the proper way of getting things working with the above setting?

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Onboard - Machine auth for BYOD PCs

So these are not domain joined machines?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: