Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

host/fqdn authentication

This thread has been viewed 11 times

  • 1.  host/fqdn authentication

    Posted Jul 01, 2015 10:22 AM

    Hi,

    Having a senior moment here.

    I'm setting up an authentication service for our managed windows machines using user and machine auth.

    When a user enters their username into the login dialogue box clearpass authenticates user <AD domain>/<userid> with whatever  passwoed against AD and things work. If no one is logged into the machine ( or the user logs out), an auth request comes in with the user-name set to <host/fqdn of machine> As  shown below in the table of RADIUS attributes. I've set up "normal" mac-auths before against static host lists without a problem. In this case I've :-

     

    • Created a service that uses the username,nas-port-type , service type as the selection criteria ( servicetype is 802.1x ) should it be something else ... like a radius auth?
    • Used the Authentication method of all-mac-auths
    • Set up  a static host list created with the mac address of a "managed" devices
    • Used an authentication source of the static mac address list
    • Performed a check so I create a Role called machineauth
    • Generated an enforcement policy that uses an appropriate profile to drop the machine into a vlan based upon the fact that a role of machineauth exists.

    What I get however, is an alert saying

     Managed Devices: Client not found or not a MAC authentication request
    MAC_AUTH: No password in request. Not attempting MAC authentication
    Cannot select appropriate authentication method

    All I want to do is say

    "If I know the mac address of a device

    and its a windows device

    and the username is of the form host/<something>.its.york.ac.uk"

     

    drop it into a named vlan called dps_maint

     

    I'm guessing the error is there because the username isn't a mac-address so it isn't actually doing mac-auth so the auth-method isn't correct .... but what do I set it to. BTW, the vlan the device ends up in is nailed down and can only access a restricted set of local services.

     

    Rgds

    Alex

     

     

     
     
     
     
     
    Username:
    host/DPSLAP004.its.york.ac.uk
    End-Host Identifier:
    68-f7-28-07-70-49
    (Computer / Windows / Windows Vista/7/2008)
    Access Device IP/Port:
    144.32.227.99:1
    (xb1sw7 / HP)
     
     
    Radius:HP:HP-Capability-Advert0x011a0000000b28
    Radius:HP:HP-Capability-Advert0x011a0000000b2e
    Radius:HP:HP-Capability-Advert0x011a0000000b30
    Radius:HP:HP-Capability-Advert0x011a0000000b3d
    Radius:HP:HP-Capability-Advert0x0138
    Radius:HP:HP-Capability-Advert0x013a
    Radius:HP:HP-Capability-Advert0x0140
    Radius:HP:HP-Capability-Advert0x0141
    Radius:HP:HP-Capability-Advert0x0151
    Radius:IETF:Called-Station-Idec-9a-74-19-12-40
    Radius:IETF:Calling-Station-Id68-f7-28-07-70-49
    Radius:IETF:Connect-InfoCONNECT Ethernet 100Mbps Full duplex
    Radius:IETF:Framed-MTU1480
    Radius:IETF:Framed-Protocol1
    Radius:IETF:NAS-Identifierxb1sw7
    Radius:IETF:NAS-IP-Address144.32.227.99
    Radius:IETF:NAS-Port1
    Radius:IETF:NAS-Port-Id1
    Radius:IETF:NAS-Port-Type15
    Radius:IETF:Service-Type2
    Radius:IETF:Tunnel-Medium-Type6
    Radius:IETF:Tunnel-Private-Group-Id4003
    Radius:IETF:Tunnel-Type13
    Radius:IETF:User-Namehost/DPSLAP004.its.york.ac.uk
    Radius:Microsoft:MS-RAS-Vendor11

     



  • 2.  RE: host/fqdn authentication

    EMPLOYEE
    Posted Jul 01, 2015 10:25 AM

    So you are configuring machine authentication.

    Where does Mac authentication play a part here?  If a device has machine authenticated, you also want to check the static host list against a mac address to determine that it is managed?



  • 3.  RE: host/fqdn authentication

    Posted Jul 01, 2015 10:48 AM

    Hi,Yup doing machine auth for a windows device.

     

    The static list of mac addresses identifies the device as pone of our managed devices,the User-name identifes it as a windows box without a user logged on.

     

    Guess it isn't mac-auth as the access-request packet doesn't have the user-name as a mac-address ... but what do I set the auth type to in this case? I can;t leave it blank.

    A



  • 4.  RE: host/fqdn authentication

    EMPLOYEE
    Posted Jul 01, 2015 10:53 AM

    So, if you are combining checking the mac address of devices against a static host list along with doing 802.1x for the username and password, you do not need to create a mac authentication service.  You can just do the regular 802.1x service and then build a role/enforcement mapping that states "Connection Client-Mac-Address Belongs_to_group <static host list name>"



  • 5.  RE: host/fqdn authentication

    Posted Jul 01, 2015 11:17 AM

    Nope, the point is that when the user logs out of windows, the machine tries to "log in" with a username of the string host/fqdn of machine" as shown in the access-request packet I posted earlier. There is no 802.1x at this point, there isn't a set of real user credentials to use. in this case the machine fqdn is dpslap004.its.york.ac.uk, so I've got an Acces-Request  user-name attribute of "host/dpslap004.its.york.ac.uk" and the mac address of the device is  in a static host list. What I need to do is say

    if user-name is host/dpslap004.its.york.ac.uk. and  "static host list" contains mac address of machine then send access accept packet that qwill place the decvice in a named vlan called dps_maint. As per the following attributes:-

    1.Radius:IETFTunnel-Private-Group-Id=dps_maint
    2.Radius:IETFTunnel-Type=VLAN (13)
    3.Radius:IETFTunnel-Medium-Type=IEEE-802 (6)
    4.Radius:IETFAcct-Interim-Interval=1800
    5.Radius:IETFSession-Timeout=28800
    6.Radius:IETFTermination-Action=RADIUS-Request (1)

     

     



  • 6.  RE: host/fqdn authentication

    EMPLOYEE
    Posted Jul 01, 2015 11:23 AM

    It is 802.1x machine authentication.  Ther user is host/<machinename> and the password is the SID or security identifier.  It comes in as a regular radius request and it is not different from a user doing 802.1x authentication.

     

    If you do a check to see if the incoming user is a member of "Domain Computers" and combine that with role/enforcement mapping that states "Connection Client-Mac-Address Belongs_to_group <static host list name>", you should be able to get what you need.

     



  • 7.  RE: host/fqdn authentication

    Posted Jul 01, 2015 11:31 AM

    Cool!

    o.k. might have to do some work to see how to check for username being amember of  domain computers, but the rest of it is easy enough

     

    Thanks

    A



  • 8.  RE: host/fqdn authentication

    EMPLOYEE
    Posted Jul 01, 2015 11:32 AM

    You can use computer groups instead of using the static host list.



  • 9.  RE: host/fqdn authentication

    EMPLOYEE
    Posted Jul 01, 2015 11:39 AM
    @alexsuoy wrote:

    Cool!

    o.k. might have to do some work to see how to check for username being amember of  domain computers, but the rest of it is easy enough

     

    Thanks

    A

    See the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/clearPass-Assign-authenticated-user-in-AD-with-user-roles-and/m-p/117605/highlight/true#M7801 for how to check the AD user groups of users/devices.



  • 10.  RE: host/fqdn authentication
    Best Answer

    Posted Jul 02, 2015 08:56 AM

    o.k Sorted

    Switch machine on, machine auth drops it into maintenance vlan

    User logs on, move to user-auth vlan

    User logs off reauth back into maintenance vlan

     

     

    Simples!

     

    Many thansk for all  the help both on this thread and others I found

    Rgds

    A