Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User and Machine auth; plus token server

This thread has been viewed 0 times

  • 1.  User and Machine auth; plus token server

    Posted Nov 17, 2016 05:43 PM

    Dear Members,

     

    Our customer has a strict security policy, that's why they allow wifi for their employees in the following way:

    - the machine must be a member of a domain

    - the user (used for windows logon) must be present in a special AD group

    - if the two conditions above meet the reqirements, the users have to authenticate against a Gemalto token server. Usernames in the ad are not the same than the users are in the Gemalto (actually the usernames are in a Cisco ISE, and the Gemalto talks with ISE.) What should I select for authorization source, when I want to add a token server? (Because I cannot leave it empty)

     

    Is this whole scenario even supported?

    Could you help me, how to confiigure a service for this setup?

     

    Thank you for help in advance.

    Best regards,



  • 2.  RE: User and Machine auth; plus token server

    EMPLOYEE
    Posted Nov 17, 2016 05:53 PM

    How are they implementing that security now?...or is it just a desire?



  • 3.  RE: User and Machine auth; plus token server

    Posted Nov 17, 2016 05:56 PM

    That's the plan. We tested machine and user auth, and that was worked fine. Now, they'd like to extend this with an authentication against a token server.

     



  • 4.  RE: User and Machine auth; plus token server

    EMPLOYEE
    Posted Nov 17, 2016 07:32 PM
    In what supplicant should they enter the token and how often? Is there already a client installed that is already authenticating tokens?

    If this becomes too complicated, users will not use it...


  • 5.  RE: User and Machine auth; plus token server

    Posted Nov 25, 2016 06:54 AM

    Hi cjoseph,

     

    They'd like to let the user enter the credentials when they connect to the wireless network, they don't want to use separate supplicant. So they'd like to use the windows built-in method.

    So they'd like the following (because of their strict security policy):

    - give access only, when a user signed in Windows with AD credentials, and the computer is member of the domain. If these requirements are ok, and the users want to connect to the wireless network they'd like to force them to authenticate with OTP (Gemalto).

    Could you help us how to configure ClearPass?

     

    Best regards,

     



  • 6.  RE: User and Machine auth; plus token server

    EMPLOYEE
    Posted Nov 25, 2016 07:04 AM

    The Windows Supplicant does not support two factor authentication.  How do they use Gemalto now?

    I am asking, because if your users are not using it currently to login to their computers, the difficult part is integrating it into your users existing workflow.  If the users are using it currently, we might try to figure out how that is being used and add a wireless component to that...



  • 7.  RE: User and Machine auth; plus token server

    Posted Nov 25, 2016 07:43 AM

    I don't know how do they use Gemalto now, I'll ask them, and I'll get back to you.



  • 8.  RE: User and Machine auth; plus token server

    Posted Nov 27, 2016 11:34 AM

    Check out ArubaNetworks_ClearPass_6.4.2_AuthMan8.1.pdf. It's a guide for RSA, but might give you some ideas for Gemalto depending upon what type of Gemalto implementation is being used.