Security

Reply
MVP
Posts: 2,923
Registered: ‎10-25-2011

enforce machine authentication question

Okay i got the fallowing scenario in a lab im doing:

 

I got a Radius athentication server my AD and my Wireless controller

 

Okay on my Radius authentication server i got this conditions on the network policies

 

1 Network policy = if it belongs to engeering group  you are granted network access and then i also send a filter id with the name of the role

2 Network policy = if it belongs to sales group  you are granted network access and then i also send a filter id with the name of the role

 

Okay that works awsome!

 

Now let say i would like to do also enforce machine authentication on the first network policy  so let say i would like to do this:

 

If the users belongs to the users engineering group AND the machine belongs the the machines Engeering group you grant access to the network and then also send  a filter id with the name of the role.

 

Is that possible? to do both authentication? user and also ,machine authentication?(i know i have to checkbox the enforce machine authentication on the wirleess controller)  well is that possible?

i mean i read that groups are considered as an OR statatment which makes me think that he will look first for the engeering user group and he willl not look for the machine engineering group?

 

 

Well i first tried to confgured it with no success.... im getting the enforce mahine authentication default group... is not sending the filter id....

 

But then i start reading and read about the OR statement which makes me think that maybe what i was trying to achive is not possible....

 

can anyone enlight me in these?

 

Thank you in advance

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: enforce machine authentication question

You can only use role derivation after a devices has passed both user and machine authentication when you have Enforce Machine Authentication enabled.

 

 

Clear Pass policy manager (CPPM) provides the ability to be much more flexible with these types of rules.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,923
Registered: ‎10-25-2011

Re: enforce machine authentication question

Yeah its okay that way

But there must be something im doing wrong because hte machine authentication is not working...

 

The user athentication works alone...

But when i add the enforce machine authentication on the aruba controller and i add the group on the network policy which has my machine it doestn work...

Is there something i got incorrectly configured?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: enforce machine authentication question

Has your device already machine authenticated  (host/machine name) ?  It would only do this at the ctrl-alt-delete screen or if you have your supplicant only programmed to authenticate with computer credentials.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,923
Registered: ‎10-25-2011

Re: enforce machine authentication question

i just tried disconnecting it and connecting it... i didnt tried to log off and log on...

 

I used to have on my wireless connection propierties on the 802.1x option i used to have just the user authentication i changed it to authenticate with computer or user (there i sno option to select in which it has to authenticate with user AND the computer)

 

so i guess i just needed to log off or restart my computer so it can authenticate the machine right? i was just trying disconnecting from the network and connecting it

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: enforce machine authentication question


NightShade1 wrote:

i just tried disconnecting it and connecting it... i didnt tried to log off and log on...

 

I used to have on my wireless connection propierties on the 802.1x option i used to have just the user authentication i changed it to authenticate with computer or user (there i sno option to select in which it has to authenticate with user AND the computer)

 

so i guess i just needed to log off or restart my computer so it can authenticate the machine right? i was just trying disconnecting from the network and connecting it


With user and computer means authenticate as computer at the ctrl-alt-delete and as the user when someone is logged in.  You need to log off, wait about a minute and look on the user table on the controller to see if the username changes to host/computername.  When that happens, the controller has recorded the device as machine authenticated (802.1x-machine).  If you login successfully, it will market as just 802.1x which means computer AND user authenticated.  At that time, it will then be able to run derivation rules when that user logs in.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,923
Registered: ‎10-25-2011

Re: enforce machine authentication question

Thank you very much for the explanation Collin

 

Ill test tomorrow as i got the lab on the office

 

Thanks again!

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Moderator
Posts: 893
Registered: ‎07-29-2010

Re: enforce machine authentication question

Hello

 

I've been trying to do this machine+user authentication with an NPS radius and couldn't find the way to do it. Which kind of RADIUS are you using? Or, if using NPS, could you please give me a hint?

 

Thanks

 

 

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: enforce machine authentication question


samuel.perez wrote:

Hello

 

I've been trying to do this machine+user authentication with an NPS radius and couldn't find the way to do it. Which kind of RADIUS are you using? Or, if using NPS, could you please give me a hint?

 

Thanks

 

 


Samuel.Perez,

 

If you only want to ensure that a device has passed BOTH machine and user authentication, using Enforce Machine Authentication in the controller will work with any radius server.  Turning it on gives a devices different roles if (1) Only Machine Authentication is Passed (2) Only User Authentication is Passed (3) Machine AND User Authentication is passed.  The main drawback with Enforce Machine Authentication is that you can only do role derivation beyond that if Both Machine and User Authentication is passed.

 

For example:  If you want users to authenticate with a smartphone, but give them a different role base on a group in active directory with Enforce Machine Authentication on, you cannot, because you are limited to Scenario 2, which does not allow you to derive a role beyond the Machine Authentication User Role.  If you also wanted to give a user a different role based on the Operating System, you could not combine different things like if the device is machine authenticated in the logic for your rule.

 

If you use Clear Pass Policy Manager (CPPM) as your radius server, it caches machine authentication state, AND does Operating System Profiling so that you can send back roles based on a much more comprehensive set of logic.  You can even point to a SQL server with your company-owned devices and use that data as logic during authentication to determine if to give a device a different role.  You would turn off Enforce Machine Authentication and allow CPPM to do all of your checking for you, because it is more flexible and comprehensive.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,923
Registered: ‎10-25-2011

Re: enforce machine authentication question

Hello

Does anyone know how to make the computer connect to the wireless connection on the alt crtl del?

i mean it connect to network but after the profile is loaded....

If this happen then is not athenticating via the enforce machine atuthentication...  i think this is the issue im having..

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: