Security

Reply
MVP
Posts: 1,405
Registered: ‎11-30-2011

can you associate a machine auth with a user auth?

doing wired dot1x with cisco switch and CP 6.4

 

got a setup where multiple types of devices exist in AD, with different DNs. based on these DNs different roles are defined in CP which are used to put the devices in different VLANs during machine auth.

 

but then user auth comes around and now the device type based on DN is unknown. so i can't put the user (and thus) device in the correct VLAN. if i don't send a VLAN the default on the port is used and that isn't what i want.

 

is there a nice way to associate a machine auth attempt with a user auth attempt?

Guru Elite
Posts: 8,003
Registered: ‎09-08-2010

Re: can you associate a machine auth with a user auth?

You would have to map the computer accounts DN to a TIPS role and allow cached roles in your service. 

Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: can you associate a machine auth with a user auth?

i thought of that and tried it but it didn't seem to work. i know this automatically works for the default [machine authentication] role, which is available on the user auth.

 

but should it work for a own role between the machine and user auth also? it is a different session i assume?

Guru Elite
Posts: 20,357
Registered: ‎03-29-2007

Re: can you associate a machine auth with a user auth?

Boneyard,

 

Why bother with user authentication, then?  Just configure the domain computers for machine authentication only.  The user still has to get into the computer to do anything, so just do machine authentication only and put the device on the correct VLAN.  At the ctrl-alt-delete screen the machine gets on the right VLAN during machine authentication.  The user then has to login to the computer and the computer is already on the correct vlan.  Since you are not enforcing firewall policies, it does not matter what user gets on the device as long as they have valid credentials---and Windows does that for you.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: can you associate a machine auth with a user auth?

hey i thought of that one also cjoseph. just want to know if it is possible to somehow combine these two pieces of into to do something nice. this time it is workaroundable, next time it might not.

Search Airheads
Showing results for 
Search instead for 
Did you mean: