Security

Reply
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

host/fqdn authentication

Hi,

Having a senior moment here.

I'm setting up an authentication service for our managed windows machines using user and machine auth.

When a user enters their username into the login dialogue box clearpass authenticates user <AD domain>/<userid> with whatever  passwoed against AD and things work. If no one is logged into the machine ( or the user logs out), an auth request comes in with the user-name set to <host/fqdn of machine> As  shown below in the table of RADIUS attributes. I've set up "normal" mac-auths before against static host lists without a problem. In this case I've :-

 

  • Created a service that uses the username,nas-port-type , service type as the selection criteria ( servicetype is 802.1x ) should it be something else ... like a radius auth?
  • Used the Authentication method of all-mac-auths
  • Set up  a static host list created with the mac address of a "managed" devices
  • Used an authentication source of the static mac address list
  • Performed a check so I create a Role called machineauth
  • Generated an enforcement policy that uses an appropriate profile to drop the machine into a vlan based upon the fact that a role of machineauth exists.

What I get however, is an alert saying

 Managed Devices: Client not found or not a MAC authentication request
MAC_AUTH: No password in request. Not attempting MAC authentication
Cannot select appropriate authentication method

All I want to do is say

"If I know the mac address of a device

and its a windows device

and the username is of the form host/<something>.its.york.ac.uk"

 

drop it into a named vlan called dps_maint

 

I'm guessing the error is there because the username isn't a mac-address so it isn't actually doing mac-auth so the auth-method isn't correct .... but what do I set it to. BTW, the vlan the device ends up in is nailed down and can only access a restricted set of local services.

 

Rgds

Alex

 

 

 
 
 
 
 
Username:
host/DPSLAP004.its.york.ac.uk
End-Host Identifier:
68-f7-28-07-70-49
(Computer / Windows / Windows Vista/7/2008)
Access Device IP/Port:
144.32.227.99:1
(xb1sw7 / HP)
 
 
Radius:HP:HP-Capability-Advert0x011a0000000b28
Radius:HP:HP-Capability-Advert0x011a0000000b2e
Radius:HP:HP-Capability-Advert0x011a0000000b30
Radius:HP:HP-Capability-Advert0x011a0000000b3d
Radius:HP:HP-Capability-Advert0x0138
Radius:HP:HP-Capability-Advert0x013a
Radius:HP:HP-Capability-Advert0x0140
Radius:HP:HP-Capability-Advert0x0141
Radius:HP:HP-Capability-Advert0x0151
Radius:IETF:Called-Station-Idec-9a-74-19-12-40
Radius:IETF:Calling-Station-Id68-f7-28-07-70-49
Radius:IETF:Connect-InfoCONNECT Ethernet 100Mbps Full duplex
Radius:IETF:Framed-MTU1480
Radius:IETF:Framed-Protocol1
Radius:IETF:NAS-Identifierxb1sw7
Radius:IETF:NAS-IP-Address144.32.227.99
Radius:IETF:NAS-Port1
Radius:IETF:NAS-Port-Id1
Radius:IETF:NAS-Port-Type15
Radius:IETF:Service-Type2
Radius:IETF:Tunnel-Medium-Type6
Radius:IETF:Tunnel-Private-Group-Id4003
Radius:IETF:Tunnel-Type13
Radius:IETF:User-Namehost/DPSLAP004.its.york.ac.uk
Radius:Microsoft:MS-RAS-Vendor11

 

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: host/fqdn authen

[ Edited ]

So you are configuring machine authentication.

Where does Mac authentication play a part here?  If a device has machine authenticated, you also want to check the static host list against a mac address to determine that it is managed?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: host/fqdn authen

Hi,Yup doing machine auth for a windows device.

 

The static list of mac addresses identifies the device as pone of our managed devices,the User-name identifes it as a windows box without a user logged on.

 

Guess it isn't mac-auth as the access-request packet doesn't have the user-name as a mac-address ... but what do I set the auth type to in this case? I can;t leave it blank.

A

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: host/fqdn authen

So, if you are combining checking the mac address of devices against a static host list along with doing 802.1x for the username and password, you do not need to create a mac authentication service.  You can just do the regular 802.1x service and then build a role/enforcement mapping that states "Connection Client-Mac-Address Belongs_to_group <static host list name>"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: host/fqdn authen

Nope, the point is that when the user logs out of windows, the machine tries to "log in" with a username of the string host/fqdn of machine" as shown in the access-request packet I posted earlier. There is no 802.1x at this point, there isn't a set of real user credentials to use. in this case the machine fqdn is dpslap004.its.york.ac.uk, so I've got an Acces-Request  user-name attribute of "host/dpslap004.its.york.ac.uk" and the mac address of the device is  in a static host list. What I need to do is say

if user-name is host/dpslap004.its.york.ac.uk. and  "static host list" contains mac address of machine then send access accept packet that qwill place the decvice in a named vlan called dps_maint. As per the following attributes:-

1.Radius:IETFTunnel-Private-Group-Id=dps_maint
2.Radius:IETFTunnel-Type=VLAN (13)
3.Radius:IETFTunnel-Medium-Type=IEEE-802 (6)
4.Radius:IETFAcct-Interim-Interval=1800
5.Radius:IETFSession-Timeout=28800
6.Radius:IETFTermination-Action=RADIUS-Request (1)

 

 

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: host/fqdn authen

It is 802.1x machine authentication.  Ther user is host/<machinename> and the password is the SID or security identifier.  It comes in as a regular radius request and it is not different from a user doing 802.1x authentication.

 

If you do a check to see if the incoming user is a member of "Domain Computers" and combine that with role/enforcement mapping that states "Connection Client-Mac-Address Belongs_to_group <static host list name>", you should be able to get what you need.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: host/fqdn authen

Cool!

o.k. might have to do some work to see how to check for username being amember of  domain computers, but the rest of it is easy enough

 

Thanks

A

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: host/fqdn authen

You can use computer groups instead of using the static host list.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: host/fqdn authen


alexsuoy wrote:

Cool!

o.k. might have to do some work to see how to check for username being amember of  domain computers, but the rest of it is easy enough

 

Thanks

A


See the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/clearPass-Assign-authenticated-user-in-AD-with-user-roles-and/m-p/117605/highlight/true#M7801 for how to check the AD user groups of users/devices.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: host/fqdn authen

o.k Sorted

Switch machine on, machine auth drops it into maintenance vlan

User logs on, move to user-auth vlan

User logs off reauth back into maintenance vlan

 

 

Simples!

 

Many thansk for all  the help both on this thread and others I found

Rgds

A

Search Airheads
Showing results for 
Search instead for 
Did you mean: