Security

Reply
Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

User & Computer attribute for Microsoft AD Authorization in 802.1X

There's no way to pass both a User and a Computer Authorization Attribute to Microsoft AD ?

In wireless SSID configuration under Microsoft Windows under Advanced 801.x settings, I can see 'User OR Computer'.  But I can't send both can I ?

 

Untitled.png

 

The goal is to have both a valid User AND (Logic AND) a valid Computer object/hostname be sitting in Microsoft AD to eventuate rule matching of an enforcement policy, and thus an Allow Enforcement Profile.

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

I guess i'm trying to see if I can get computer auth attributes AND user auth attributes out of a Microsoft supplicant to vet on... is my question...

Guru Elite
Posts: 20,328
Registered: ‎03-29-2007

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

The Microsoft client will only let you send one set of credentials at a time.  You cannot send both.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,328
Registered: ‎03-29-2007

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

The Microsoft client will only let you send one set of credentials at a time.  You cannot send both.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

Agree.. the supplicant will only do one at a time.

But, with something like this, http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471, and having the device machine auth first, and then following up with a user auth next, and writing the dNSHostName to Endpoint local SQL DB, and then SQL querying it (comment from Tim Cappalli (http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/m-p/255073#M23954) in the next part/user auth part.. I could essentially get what I want.. no ?

Machine Auth first, User Auth followup.

Guru Elite
Posts: 20,328
Registered: ‎03-29-2007

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

But, what are you trying to accomplish?  The machine authentication state should be cached for 24 hours by default, so you can use the role [Machine Authenticated] to determine if a machine has already authenticated when processing a user authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,328
Registered: ‎03-29-2007

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

To be clear, when you set the Microsoft 802.1x client to use "user or computer authentication", it will machine authenticate when:

 

- The user logs off of their computer or

- The machine boots up at the ctrl-alt-delete prompt

 

This means, when the machine boots up and successfully machine authenticates, it will have have the [Machine Authenticated] role.  That built-in role will be cached for 24 hours.  When the user attempts to login after, the user's authentication will also have the [Machine Authenticated] role which you can use to make policy decisions.  Whenever the user successfully authenticates, the Machine Authenticated cache is reset, so CPPM will remember the machine authenticated state, even if the machine authentication does not happen at the CTRL-ALT-DELETE screen, because the cache is renewed whenever there is a successful user authentication.

 

Long story short, use the [Machine Authenticated] role to determine if a user is authenticating on a machine that has already successfully machine authenticated.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

Ok.. and not being personally super proficient in Microsoft AD services, I presume an LDAP object type of 'computer' is only present in the forest if a machine successfully authenticates ?

Thus, yes this built in role will satisfy my requirements as it seems..

Agree ?

Guru Elite
Posts: 20,328
Registered: ‎03-29-2007

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

An AD account of type "Computer" is created whenever a workstation joins the domain.  That is the same account that a machine authenticates to, when it is wired, to get its policy from the domain.  If that account is disabled, the machine loses access to the domain.  You will see the username as "hostname/<name of host>" in ClearPass when the device authenticates.  When ClearPass sees the "hostname/" portion, it knows that a device is attempting to machine authenticate.  When it is successful, it sets the [Machine Authenticated] role for that device.  If a user or machine successfully authenticates for the same device, the cache is reset for 24 hours by default.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: User & Computer attribute for Microsoft AD Authorization in 802.1X

What about if that object is not disabled or deleted.  And is existing. And CP is brought into the picture, and the device has PEAP entered into a wireless profile and CP Access Tracker.. quite sure.. never sees a machine authentication.. it just sees user authentication hitting it.

I want to be able to logic AND a device that has prior machine authenticated and is now trying to user authenticate.

It sounds like, CP needs to see a computer authentication FIRST.

Which means an Enforcement Policy rule condition set of,

 

(Authentication:Source  EQUALS  *customerAD*)
AND  (Authorization:*customer AD*:UserDN  EXISTS   )
AND  (Tips:Role  EQUALS  [Machine Authenticated]) hits action of [Allow Access Profile]

 

will not allow this machine to machine authenticate for the first time... because it needs to satisfy all those 3 conditions.

I'll need a proceeding service to catch a machine auth FIRST, allow it, to cache it and fill the TIPS built in role, and then a service to throw the enforcement policy i've built above as the next one down.  Correct ?

Search Airheads
Showing results for 
Search instead for 
Did you mean: