Wireless Access

Reply
Contributor II
Posts: 45
Registered: ‎12-11-2012

Can someone explain what "enforce machine authentication" is for on the 802.1x aaa profile ?

As the title says I wondered if someone could explain what "enforce machine authentication" is used for?

 

Cheers

 

Dave

Guru Elite
Posts: 8,638
Registered: ‎09-08-2010

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

[ Edited ]

Enforce Machine Authentication is used in many environments as a way to verify corporate owned Windows machines.

 

A valid Active Directory computer/machine account is required to gain access to the network.

 

So for example, if you only wanted to permit Active Directory-joined Windows devices to a particiular SSID, you could use the Enforce Machine Authentication option.

 

Here is a chart that show the different combinations of Machine and User authentications and their results.

 

machine-auth-chart.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 45
Registered: ‎12-11-2012

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

OK for information I did a test, machine auth not enforced.

 

Domain machine connecting to the 802.1x wireless network, it authenticated by machine. but only says 802.1x as the auth type.

 

Non-domain machine connecting to the 802.1x network, it prompted for user auth, again shows 802.1x as the auth type.

 

then enable machine auth on the aaa profile

 

domain machine connecting to the 802.1x wireless network, it authenticated by machine. but says 802.1x-machine as the auth type.

 

Non-domain machine connecting to the 802.1x network, it prompted for user auth, again shows 802.1x-user as the auth type.

 

 

OK so that looks fine, but how would you, for instance, have it so the machine connects via machine auth, then you get the Windows GINA and the user logs in, and the connections flips over to be user auth so individual radius attributes can be used to assign a particular role?

 

Cheers

 

Dave

 

Guru Elite
Posts: 8,638
Registered: ‎09-08-2010

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

[ Edited ]

When the machine boots, it will machine auth at the login screen. Once a user logs in, the device will reauthenticate with the user's credentials.

 

Are you using ClearPass? There are built-in "automagic" roles that can handle machine vs user authentication for policy decisions.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 45
Registered: ‎12-11-2012

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

Thanks for the info so far.

 

What you describe does not happen, no reauth happens when the user logs in. Do i have to set single user sign on on the actual wireless profile on the client machine?

 

Dave

 

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

You'll need to set the authentication mode on the client to "User or computer authentication".  This tells Windows to perform machine authentication at the login screen and user authentication once the user logs in.

 

To do this, go to the properties of the SSID in Windows (Win 7 in my example).

Click on the Security tab.

Click the Advanced settings button.

In the 802.1X settings tab, click "Specify authentication mode".

Select "User or computer authentication" from the drop-down.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,638
Registered: ‎09-08-2010

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

[ Edited ]

^ That is usually enabled OOTB on Windows XP and higher unless you are setting different policy via a GPO.

 

The SSO feature in the supplicant is an alternative if you do not want to use machine auth. It passes the credentials from the login screen to the network, authenticates and then contacts a DC to authenticate the session.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 45
Registered: ‎12-11-2012

Re: Can someone explain what "enforce machine authentication" is for on the 802.1x aaa pro

OK, great thanks for the info, all useful stuff thanks.

 

Dave

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: