12-13-2016 08:11 PM
I'm currently working on setting up user and machine authentication for a customer following this post:
I'm confused with some of the components that are mentioned which I can't find in the documentation:
- What is the logic behind CPPM assigning [Machine Authenticated ] and [User Authenticated] roles? What does CPPM check and how does it decide to assign these roles in an incoming RADIUS request?
Solved! Go to Solution.
12-13-2016 08:14 PM
12-13-2016 08:40 PM
I'm also trying to understand the enforcement profile which checks for both [machinie auth] and [user auth] roles to be assigned to the requests. I've tested this with domain/useraccount and it works OK (I can see both roles assigned in access tracker), I just don't understand how this works. Shouldn't the [user authenticated] role be returned by itself when user credenitals are authenticated to the domain? Why is the [machine auth] role also returned?
12-13-2016 10:03 PM
The [user authenticated] built-in role is returned when the current authentication being handled is passed. [Machine Authenticated] is also returned if a device with the same mac address passed machine authentication within the "Machine Authentication Cache Timeout Period" shown below (24 hours). Another wrinkle to this is that every time a device that has passed machine authentication passes user authentication, the cache is reset to another 24 hours or whatever the parameter is below:
You can test this by clearing the machine authentication cache to reset all devices:
To recap and in more detail:
Domain machines attempt machine authentication with a username of host/<machine fqdn>. If clearpass sees a device pass authentication with that username it assumes it is a domain machine that has authenticated and adds the mac address of that device to the machine authentication cache for 24 hours or whatever that parameter is. It also returns the built-in role of [machine authenticated]. If a user on that machine authenticates successfully via 802.1x, clearpass returns [user authenticated] and [machine authenticated] if it is within that 24 hours, every time that user authenticates. Every time a user successfuly authenticates on a machine that is in the machine authentication cache, the 24 hours is extended.
It is designed this way, because by default machines only machine authenticate when they are at the ctrl-alt-delete prompt and logged out. It is possible that a user locks his machine, and comes back 36 hours later the machine will be removed from the cache and the next user authentication will no longer have the [machine authenticated] role, because it expired. Extending the cache for any successful 802.1x authentication with that mac address eliminates the need for a user to reboot his computer just to reflect that it is a domain machine..
I hope that helps...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base