08-23-2014 09:31 AM
On our staff computers we setup an enforcement policy that looks for them to machine authenticate and for the computer to belong to an AD group we created before assigning the staff role we created. The problem is we have some computers that get the Machine Only enformement profile and are assigned the wrong role. When I look in access tracker at the ones that work ClearPass is looking at the group the machine belongs too, on the ones that do not work its looking at user groups. There are no differences in AD between the computers that are working and the ones that are not.
08-23-2014 09:35 AM
08-23-2014 09:41 AM
08-23-2014 02:40 PM
Unfortunately, when a USER is authenticating, the only role that is available with regards to the machine is the [MACHINE AUTHENTICATED] role. You cannot leverage AD attributes like groups about the machine objects when the user is currently authenticating. The AD groups that the machine is part of is only accessible WHEN the machine is authenticating, NOT when the user on that machine is authenticating.
I hope that helps.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
08-24-2014 07:52 AM
As Colin mentioned it is not possible to carry over a role mapping of a machine authenticated once you do the user auth.
What I suggest you do is the following :
- Create two services
- In the machine authentication service define the following role mapping
- Then create a two custom attributes that you will use to differentiate between the IT PC and Sales PC
- Then create a Post Auth profile using those custom attributes
- The post auth profiles then can be use to tag devices that are part of the SalesComputer or ITComputer AD group in the machine auth enforcement policy
- Once these tags have been applied you can use these in the user wireless 802.1X service (For this to work Make sure you add the endpoint database as an authorization source)
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
08-24-2014 07:58 AM