02-18-2015 12:37 PM
doing wired dot1x with cisco switch and CP 6.4
got a setup where multiple types of devices exist in AD, with different DNs. based on these DNs different roles are defined in CP which are used to put the devices in different VLANs during machine auth.
but then user auth comes around and now the device type based on DN is unknown. so i can't put the user (and thus) device in the correct VLAN. if i don't send a VLAN the default on the port is used and that isn't what i want.
is there a nice way to associate a machine auth attempt with a user auth attempt?
02-18-2015 12:43 PM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
02-19-2015 03:10 AM
i thought of that and tried it but it didn't seem to work. i know this automatically works for the default [machine authentication] role, which is available on the user auth.
but should it work for a own role between the machine and user auth also? it is a different session i assume?
02-19-2015 03:21 AM
Why bother with user authentication, then? Just configure the domain computers for machine authentication only. The user still has to get into the computer to do anything, so just do machine authentication only and put the device on the correct VLAN. At the ctrl-alt-delete screen the machine gets on the right VLAN during machine authentication. The user then has to login to the computer and the computer is already on the correct vlan. Since you are not enforcing firewall policies, it does not matter what user gets on the device as long as they have valid credentials---and Windows does that for you.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
02-19-2015 07:22 AM
hey i thought of that one also cjoseph. just want to know if it is possible to somehow combine these two pieces of into to do something nice. this time it is workaroundable, next time it might not.