Security

I've been tracking down an issue that's been affecting a few systems with special setups.  For the most part, these are machines using service accounts that can only log into specific machines.  Following Tim's note in https://community.arubanetworks.com/t5/Security/AD-Account-Restricted-to-a-Workstation-in-Active-Directory/td-p/249136, we added the Clearpass servers to the "Allowed Logon" and everything worked fine.  

Part of my concern is that we had a DHCP reservation for that machine, which Machine Authenticated and set the Port Authorized Role for it.  Seconds later, the machine tries to Wired 802.1X and the user account had failed.  My question is this: Does Windows 802.1X just get excited, say, "Hey I'm setup so I'm going to do things!" and then a CoA is sent, undoing the existing Machine Authentication?  Is there a way of preventing this from occurring?

How is the supplicant configured?

We have it configured via Group Policy for User Authentication and using Single Sign On after user logon.  Again, the question is if Windows re-initiates authentication against the RADIUS server, because Windows won't be aware that the switchport is already authorized for access.  The machine has already gone through the MAB process and is good to go, but Windows does SSO and restarts the process.  If someone were to use a local account rather than a domain account, I'd still like them to be able to have network access, but dot1x will fail.  Does that make sense?

You can set the auth-fail VLAN assignment for your production or data network, so if 802.1X fails, they still get access. You can set that only on the ports of those special use cases, but it's kind of bypassing the point of NAC and wouldn't prevent someone from unplugging the PC and patching in their own device.

Yeah, I'd rather not have to have to configure a bunch of one off ports like this.  It sounds like this is just expected behavior and that using MAB as a means of authentication with a domain-joined machine isn't going to happen.

Sounds like the Supplicant is configured for User or Computer Authentication and possibly Use Windows logon credentials. I think you want to set Computer Authentication and uncheck the Use Windows logon credentials.


#AirheadsMobile

Sounds like the Supplicant is configured for User or Computer Authentication and possibly Use Windows logon credentials. I think you want to set Computer Authentication and uncheck the Use Windows logon credentials.


#AirheadsMobile

We have a Group Policy that sets the 802.1X config across the board.  We have it set to use Windows Login Credentials so it will auto authenticate to Clearpass with the domain login for everybody else.  The issue is for machines that may not be using domain accounts, hence why we register a DHCP reservation for them and set Port Authorized based on that.  But it seems like Windows just isn't aware and tries to do its 802.1X anyway.