Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎12-05-2011

Client Username columns not showing

Under clients I get all of the info such as Device, Role, MAC, SSID,VLAN, etc.  But I do not get the username of the user.  We are an AD shop.  Please do not laugh but for the sort future we are running WEP.

 

Do I need to somehow make Airwave AD aware?

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Client Username columns not showing

If you are running WEP (or WPA-PSK for that matter) networks, you will not see user or device name information as there is no authentication taking place.  You'll need to implement a secure 802.1x network (WPA2) in order to see username information.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 7
Registered: ‎12-05-2011

Re: Client Username columns not showing

Thanks for the info.  I love this forum.

 

Thanks again.

Regular Contributor I
Posts: 186
Registered: ‎03-22-2013

Re: Client Username columns not showing

[ Edited ]

clembo wrote:

If you are running WEP (or WPA-PSK for that matter) networks, you will not see user or device name information as there is no authentication taking place.  You'll need to implement a secure 802.1x network (WPA2) in order to see username information.



I was discussing this with some our our support team yesterday and we werent sure if this would dstill be the case if using eap-tls cert based machine auth?  As a user would still be logging in via AD on the pc, woud aruba have visibility of these credentials?

 

We assumed that this would only be seen if using peap based auth?

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: Client Username columns not showing

[ Edited ]

If user authentication to the network is not taking place, then you will not see the username in the user-table.

 

If you are just authenticating the machine with EAP-TLS, then user authentication is not happening.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 186
Registered: ‎03-22-2013

Re: Client Username columns not showing

[ Edited ]

Is it possitble to therefore have both machine and user auth taking place, so different roles could be applied accordingly, and the credentials known?

 

I know it can using peap, but recent conversation with some tech's implied it wasnt possible with tls.  Or, if the hostname is known, a simple AD query to obtain username?

 

Cheers...

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: Client Username columns not showing

[ Edited ]

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 186
Registered: ‎03-22-2013

Re: Client Username columns not showing

We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

 

Can you elaborate on this bit please:

 


cappalli wrote:

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

 

Thanks

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: Client Username columns not showing


$k3l3t0r wrote:

We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

 

Can you elaborate on this bit please:

 


cappalli wrote:

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

 

Thanks


$k3l3t0r,

 

The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon.  The computer credentials are the computer's hostname and it's SID (security identifier).  The user's credentials are, well, their AD credentials.  There are built-in roles in ClearPass to identify devices that have machine authenticated.  You can then layer user authentication on top of that.

 

EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password.  The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP.  When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN.  You have to choose either...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: Client Username columns not showing


$k3l3t0r wrote:

We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

 

Can you elaborate on this bit please:

 


cappalli wrote:

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

 

Thanks


$k3l3t0r,

 

The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon.  The computer credentials are the computer's hostname and it's SID (security identifier).  The user's credentials are, well, their AD credentials.  There are built-in roles in ClearPass to identify devices that have machine authenticated.  You can then layer user authentication on top of that.

 

EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password.  The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP.  When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN.  You have to choose either...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: