Security

Okay i got the fallowing scenario in a lab im doing:

 

I got a Radius athentication server my AD and my Wireless controller

 

Okay on my Radius authentication server i got this conditions on the network policies

 

1 Network policy = if it belongs to engeering group  you are granted network access and then i also send a filter id with the name of the role

2 Network policy = if it belongs to sales group  you are granted network access and then i also send a filter id with the name of the role

 

Okay that works awsome!

 

Now let say i would like to do also enforce machine authentication on the first network policy  so let say i would like to do this:

 

If the users belongs to the users engineering group AND the machine belongs the the machines Engeering group you grant access to the network and then also send  a filter id with the name of the role.

 

Is that possible? to do both authentication? user and also ,machine authentication?(i know i have to checkbox the enforce machine authentication on the wirleess controller)  well is that possible?

i mean i read that groups are considered as an OR statatment which makes me think that he will look first for the engeering user group and he willl not look for the machine engineering group?

 

 

Well i first tried to confgured it with no success.... im getting the enforce mahine authentication default group... is not sending the filter id....

 

But then i start reading and read about the OR statement which makes me think that maybe what i was trying to achive is not possible....

 

can anyone enlight me in these?

 

Thank you in advance

 

You can only use role derivation after a devices has passed both user and machine authentication when you have Enforce Machine Authentication enabled.

 

 

Clear Pass policy manager (CPPM) provides the ability to be much more flexible with these types of rules.

Yeah its okay that way

But there must be something im doing wrong because hte machine authentication is not working...

 

The user athentication works alone...

But when i add the enforce machine authentication on the aruba controller and i add the group on the network policy which has my machine it doestn work...

Is there something i got incorrectly configured?

Has your device already machine authenticated  (host/machine name) ?  It would only do this at the ctrl-alt-delete screen or if you have your supplicant only programmed to authenticate with computer credentials.

 

i just tried disconnecting it and connecting it... i didnt tried to log off and log on...

 

I used to have on my wireless connection propierties on the 802.1x option i used to have just the user authentication i changed it to authenticate with computer or user (there i sno option to select in which it has to authenticate with user AND the computer)

 

so i guess i just needed to log off or restart my computer so it can authenticate the machine right? i was just trying disconnecting from the network and connecting it

---

@NightShade1 wrote:

i just tried disconnecting it and connecting it... i didnt tried to log off and log on...

 

I used to have on my wireless connection propierties on the 802.1x option i used to have just the user authentication i changed it to authenticate with computer or user (there i sno option to select in which it has to authenticate with user AND the computer)

 

so i guess i just needed to log off or restart my computer so it can authenticate the machine right? i was just trying disconnecting from the network and connecting it

---

With user and computer means authenticate as computer at the ctrl-alt-delete and as the user when someone is logged in.  You need to log off, wait about a minute and look on the user table on the controller to see if the username changes to host/computername.  When that happens, the controller has recorded the device as machine authenticated (802.1x-machine).  If you login successfully, it will market as just 802.1x which means computer AND user authenticated.  At that time, it will then be able to run derivation rules when that user logs in.

 

 

Thank you very much for the explanation Collin

 

Ill test tomorrow as i got the lab on the office

 

Thanks again!

Hello

 

I've been trying to do this machine+user authentication with an NPS radius and couldn't find the way to do it. Which kind of RADIUS are you using? Or, if using NPS, could you please give me a hint?

 

Thanks

 

 

---

@samuel.perez wrote:

Hello

 

I've been trying to do this machine+user authentication with an NPS radius and couldn't find the way to do it. Which kind of RADIUS are you using? Or, if using NPS, could you please give me a hint?

 

Thanks

 

 

---

Samuel.Perez,

 

If you only want to ensure that a device has passed BOTH machine and user authentication, using Enforce Machine Authentication in the controller will work with any radius server.  Turning it on gives a devices different roles if (1) Only Machine Authentication is Passed (2) Only User Authentication is Passed (3) Machine AND User Authentication is passed.  The main drawback with Enforce Machine Authentication is that you can only do role derivation beyond that if Both Machine and User Authentication is passed.

 

For example:  If you want users to authenticate with a smartphone, but give them a different role base on a group in active directory with Enforce Machine Authentication on, you cannot, because you are limited to Scenario 2, which does not allow you to derive a role beyond the Machine Authentication User Role.  If you also wanted to give a user a different role based on the Operating System, you could not combine different things like if the device is machine authenticated in the logic for your rule.

 

If you use Clear Pass Policy Manager (CPPM) as your radius server, it caches machine authentication state, AND does Operating System Profiling so that you can send back roles based on a much more comprehensive set of logic.  You can even point to a SQL server with your company-owned devices and use that data as logic during authentication to determine if to give a device a different role.  You would turn off Enforce Machine Authentication and allow CPPM to do all of your checking for you, because it is more flexible and comprehensive.

 

Hello

Does anyone know how to make the computer connect to the wireless connection on the alt crtl del?

i mean it connect to network but after the profile is loaded....

If this happen then is not athenticating via the enforce machine atuthentication...  i think this is the issue im having..

On your radius server, you at least need to have a rule that allows users from the Active Directory group "Domain Computers" to authenticate successfully.  Check the logs on your radius server to see if logins are being rejected.

 

I know that collin but instead of having ALL the domian computers i got a group a computer group  which got my testing computer in that group

Isnt that enough?

 

On the NAP network policy i got on the conditions i got this

A group that contains all the users allowed to the wireless connection

A group that contains the computers allowed to the network

 

well that instead of having all the domain user groups or all computer groups

 

Isnt that okay?

The remote access policy requires that the authenticating user pass ALL of the rules before matching.  You only want "Domain Computers" or "Domain Users" in a single rule.

 

Thanks man!

Thats what  was the part i was doing wrong!!

Thanks again! now i can add this to my NPS deployments for the clients here :)

I saw on the logs that it first authenticate the machine and THEN it authenticate the user... and give the role with the filter id...:)

 

Just a question collin

I was doing some last test and i removed my PC from the cp group i got with my network policy on my nps server

I though it woundt connect and wouldnt connect with the derived role like you said(as you said that it need to authenticate BOTH if i wanted the derived role to work...

 

I removed my computer from the group and i still got access and it still sending the engineering filter id value... like if it were dong nothing...

i see on the logs ont he nps that its not granting access trhough that policy as it says access denied but then in the second network policy which is a user network policy  i mean i got my user there and it grant the network access but i mean im doing machine enformcement... that should not work that way or im wrong?

i am missing something?

By default, if you have enforce machine authentication enabled in the 802.1x profile, it will cache the Mac addresses of the devices that have passed for 24 hours. To remove that, you can delete the machines entry in the local database on the controller.

Do i have to delete something else?

its keep authenticating and giving me the derived role

I got 2 network policies

1-Got the machine group

2-Got the user group

 

My machine is not anymore on the machine group which is my first network policy

 

i deleted the entry on the internal database already.

 

On the machine i do log off

i see on the wireless controller after logging off this:

host/CHP.domain.local  on monitoring client  on therole i got logon role.

 

Which is okay

 

Now i log in  again and now i see this on the wirless controller

DOMAIN\cdelarosa  on role i got the derived role

 

On the logs on the server i got this:

1- i see the NPS denying access  to the first network policy which has the pc group 

2-Then isee NPS granting access to the second network policy which is hte second network policy in which i got my user group and the filter-id

 

IS there anything im missing Collin?

 

 

 

Disable wireless card

Delete Entry in local database

Disconnect the computer from the user table.

 

Enable wireless card and try again.

 

 

Well collin before looking at your post i send the wireless controller to reboot...

As i though it was something in the wireless controller and not on the client or in the nps...

 

Anyways now im not getting the derivated role.. so i guess its working...

im getting the Machine Authentication: Default user Role

I guess thats what it should happen....

 

Now let me understand this and just confirm me if im correct and iwll stop bothering you with this :)

 

1-As the initial role on the profile is set to logon thats the initial role

2-If the machine is NOT authenticated it will get the Machine Authentication: Default User Role right? Well if i connect with my user that has access which belongs to the second network policy.  if thats true i could put this role maybe on deny all role so it wont have access anywhere i mean if the machine is not authenticated then you will get a deny all role even if you got your user that got access!! so this way you NEED to have your machine on the group otherwise you wont connect.

 

 

3-If you are successful authenticating the machine it will then authenticate also with the user and will change the deny all to role im sending witht the derived role?

 

 

Im now testing remotely with my laptop on the office im connecting through the cable...

And this what happened

 

I added again my computer to the ones that got permission

i log off

log on then i saw it had a deny all as he authenticated with the machine correctly then i had to disconnect and reconnect againso it could get the derived role im sending with the user....

I would like to do it automatically but i don tknow if its affecting the fact im accesing it remotely somehow....

 

I dont know if its a better aproch for this what i would like to have is that if your machine is not in the group, even if your user is on the group you wont be able to connect...  or at least not having access anywhere...  Im on the correct track with what im doing or there is another way to do it properly?

1.  The Initial Role does not apply in 802.1x.  If Enforce Machine Authentication was NOT on, the computer would get the default 802.1x role.

2.  If the Machine has NOT machine-authenticated (ctrl-alt-delete) in the past 24 hours, a user who logs into that device will get the machine authentication-Default user role.  If a machine HAS machine-authenticated, an entry is created in the local user database with a 24 hour expiry.  Whenever a user authentication takes place on a device, the controller checks the local database to see if the mac address of a device that has machine authenticated matches that device; if it does, it will change the authentication to just 802.1x (machine AND user) and the controller will be able to run derivation rules, since it has passed both forms of authentication.

 

3.  Yes, if machine and user has authenticated, it will allow you to make decisions based on a attribute that is sent.

 

When you log off, make sure that the username on the controller changes to host/<machine> so that you know that machine authentication has taken place.

 

There is no way to always when a user log on he get machine authenticated for the wireless controller?

i mean if i already did machine authentication on the wireless controller on the morning and the the admin remove me like at 10 am

Iill be able to log on again because my mac address is still on the local database even if the nps tells my wireless controller that he has no access? that decition should not always come from the NPS? rather than a cache on the wireless controller? i mean if i remove that person i have to delete him from the wireless controller database... shouldnt be like the user authentication? in which it totally depends onthe nps for this decition?rather than yes depending in the first try  and then caching it and letting have access to the network, imean i can but i have to manually do it...

I ask you this because im SURE this client will ask me why it works like that...

---

@NightShade1 wrote:

There is no way to always when a user log on he get machine authenticated for the wireless controller?

i mean if i already did machine authentication on the wireless controller on the morning and the the admin remove me like at 10 am

Iill be able to log on again because my mac address is still on the local database even if the nps tells my wireless controller that he has no access? that decition should not always come from the NPS? rather than a cache on the wireless controller? i mean if i remove that person i have to delete him from the wireless controller database... shouldnt be like the user authentication? in which it totally depends onthe nps for this decition?rather than yes depending in the first try  and then caching it and letting have access to the network, imean i can but i have to manually do it...

I ask you this because im SURE this client will ask me why it works like that...

---

If a user does not pass authentication, there is no connection, period, regardless if your machine authenticated successfully.

 

Disable that user you are trying to login with and see what happens.

 

Enforce Machine authentiction exists to keep track of devices that have already machine authenticated and give them a different role if they pass user authentication on top of that.  The device STILL has to successfully pass user authentication for it to get a connection.

 

 

Okay thanks Collin

ill keep doing more testing and labs

 

Cheers