Security

Reply
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

[User Authenticated] and [Machine Authenticated] roles

Hi: There are a number of roles that do not show up in the Roles tab, but are available when creating enforcement policies. Among these are [User Authenticated] and [Machine Authenticated].

 

I have not been able to find a description of these roles.

Can they be reliably used for enforcement? Is every authenticated user given the [User Authenticated] role? Is every AD member computer given the [Machine Authenticated] role? Any other gotcha's with these roles?

 

If I missed something in the CPPM user guide, please feel free to point me there.

Thanks!

 

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: [User Authenticated] and [Machine Authenticated] roles

Yes, they're built in, auto assigned roles.

User Authenticated will vary based on the type of authentication. When working with 802.1X, this means that a user account was authenticated.

[Machine Authenticated] will be mapped when a computer account authenticates against the domain successfully.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: [User Authenticated] and [Machine Authenticated] roles

Thanks, Tim.

Is this documented anywhere? I only see one reference to these roles in the User Guide, and that's in a chart in the enforcement policy simulation section.

Thanks.

Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: [User Authenticated] and [Machine Authenticated] roles

And I'm wondering about the use of the [User Authenticated] role.....

If we create a role called "financeMember" and map it via something like:

Authorization: domain.com AD:memberOf EQUALS finance

and then use that role in an enforcement policy.... do we also need to check for the [User Authenticated] role?

 

i.e.: if AD returns the group membership info, don't we know that the user is authenticated?

 

Thanks.

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: [User Authenticated] and [Machine Authenticated] roles

If a user is not authenticated or fails authentication, the role will not appear and enforcement policies will not be executed. You do not need to check for it.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: [User Authenticated] and [Machine Authenticated] roles

You need to configure the client for both.



When the machine boots up, it will machine authenticate. When the user logs
in, it will user authenticate. The Machine Authenticated token will be
cached and can be used to write a policy that says Machine + User do X.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: