10-29-2013 05:23 AM
As the title says I wondered if someone could explain what "enforce machine authentication" is used for?
10-29-2013 05:25 AM - edited 10-29-2013 05:28 AM
Enforce Machine Authentication is used in many environments as a way to verify corporate owned Windows machines.
A valid Active Directory computer/machine account is required to gain access to the network.
So for example, if you only wanted to permit Active Directory-joined Windows devices to a particiular SSID, you could use the Enforce Machine Authentication option.
Here is a chart that show the different combinations of Machine and User authentications and their results.
10-29-2013 06:18 AM
OK for information I did a test, machine auth not enforced.
Domain machine connecting to the 802.1x wireless network, it authenticated by machine. but only says 802.1x as the auth type.
Non-domain machine connecting to the 802.1x network, it prompted for user auth, again shows 802.1x as the auth type.
then enable machine auth on the aaa profile
domain machine connecting to the 802.1x wireless network, it authenticated by machine. but says 802.1x-machine as the auth type.
Non-domain machine connecting to the 802.1x network, it prompted for user auth, again shows 802.1x-user as the auth type.
OK so that looks fine, but how would you, for instance, have it so the machine connects via machine auth, then you get the Windows GINA and the user logs in, and the connections flips over to be user auth so individual radius attributes can be used to assign a particular role?
10-29-2013 06:50 AM - edited 10-29-2013 06:52 AM
When the machine boots, it will machine auth at the login screen. Once a user logs in, the device will reauthenticate with the user's credentials.
Are you using ClearPass? There are built-in "automagic" roles that can handle machine vs user authentication for policy decisions.
10-29-2013 07:11 AM
Thanks for the info so far.
What you describe does not happen, no reauth happens when the user logs in. Do i have to set single user sign on on the actual wireless profile on the client machine?
10-29-2013 08:30 AM
You'll need to set the authentication mode on the client to "User or computer authentication". This tells Windows to perform machine authentication at the login screen and user authentication once the user logs in.
To do this, go to the properties of the SSID in Windows (Win 7 in my example).
Click on the Security tab.
Click the Advanced settings button.
In the 802.1X settings tab, click "Specify authentication mode".
Select "User or computer authentication" from the drop-down.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
10-29-2013 08:33 AM - edited 10-29-2013 08:47 AM
^ That is usually enabled OOTB on Windows XP and higher unless you are setting different policy via a GPO.
The SSO feature in the supplicant is an alternative if you do not want to use machine auth. It passes the credentials from the login screen to the network, authenticates and then contacts a DC to authenticate the session.