Wireless Access

Reply
Occasional Contributor I

Client Username columns not showing

Under clients I get all of the info such as Device, Role, MAC, SSID,VLAN, etc.  But I do not get the username of the user.  We are an AD shop.  Please do not laugh but for the sort future we are running WEP.

 

Do I need to somehow make Airwave AD aware?

Aruba

Re: Client Username columns not showing

If you are running WEP (or WPA-PSK for that matter) networks, you will not see user or device name information as there is no authentication taking place.  You'll need to implement a secure 802.1x network (WPA2) in order to see username information.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I

Re: Client Username columns not showing

Thanks for the info.  I love this forum.

 

Thanks again.

Regular Contributor I

Re: Client Username columns not showing


clembo wrote:

If you are running WEP (or WPA-PSK for that matter) networks, you will not see user or device name information as there is no authentication taking place.  You'll need to implement a secure 802.1x network (WPA2) in order to see username information.



I was discussing this with some our our support team yesterday and we werent sure if this would dstill be the case if using eap-tls cert based machine auth?  As a user would still be logging in via AD on the pc, woud aruba have visibility of these credentials?

 

We assumed that this would only be seen if using peap based auth?

Guru Elite

Re: Client Username columns not showing

If user authentication to the network is not taking place, then you will not see the username in the user-table.

 

If you are just authenticating the machine with EAP-TLS, then user authentication is not happening.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Client Username columns not showing

Is it possitble to therefore have both machine and user auth taking place, so different roles could be applied accordingly, and the credentials known?

 

I know it can using peap, but recent conversation with some tech's implied it wasnt possible with tls.  Or, if the hostname is known, a simple AD query to obtain username?

 

Cheers...

Guru Elite

Re: Client Username columns not showing

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Client Username columns not showing

We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

 

Can you elaborate on this bit please:

 


cappalli wrote:

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

 

Thanks

Guru Elite

Re: Client Username columns not showing


$k3l3t0r wrote:

We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

 

Can you elaborate on this bit please:

 


cappalli wrote:

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

 

Thanks


$k3l3t0r,

 

The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon.  The computer credentials are the computer's hostname and it's SID (security identifier).  The user's credentials are, well, their AD credentials.  There are built-in roles in ClearPass to identify devices that have machine authenticated.  You can then layer user authentication on top of that.

 

EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password.  The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP.  When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN.  You have to choose either...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Client Username columns not showing


$k3l3t0r wrote:

We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

 

Can you elaborate on this bit please:

 


cappalli wrote:

Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

 


Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

 

Thanks


$k3l3t0r,

 

The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon.  The computer credentials are the computer's hostname and it's SID (security identifier).  The user's credentials are, well, their AD credentials.  There are built-in roles in ClearPass to identify devices that have machine authenticated.  You can then layer user authentication on top of that.

 

EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password.  The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP.  When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN.  You have to choose either...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: