Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎09-19-2014

Machine Authentication Enforcement and server rules

We have 802.1X wireless network that has been working with Enforce Machine authentication for years.  Windows RADIUS server authentication users and machines, with some apple devices in the Aruba internalDB for the machine authentication work-around

 

UserOnly Role defaults to role that has same rights as a guest.

 

Customer recently got 500 Chromebooks and wants them on 802.1X network.  They need elevated rights in role different from the guest role.

 

Adding or manageing these MAC address in the Aruba internal DB is not a valid option.

 

We recently tried to put in server rules to send specific AD user account for these chromebooks to put in user role with different elevated rights.  This did not work, and looking into the communitiy shows that  server rules do not work when enforce machine authentication is enabled.

 

If I disable enforce machine authentication I assume the server rules will work.  My question is how this would affect working Machine+User authenticed devices...

 

When enforce machine authentication is not enabled, does the controller still check to see if the machine authenticates?

Will the valid machine and user accounts still get put in the Fully Authenticated 802.1X role?  or will it just check the user authentication pieces and put them in the 802.1x-User role?

 

thanks for comments and assistance.

 

 

 

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Machine Authentication Enforcement and server rules

You can try disabling enforce machine auth and do the following :

2014-11-03 16_17_03-Switch General Configuration.png

 

2014-11-03 16_18_13-Nitro Pro 9.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 7
Registered: ‎09-19-2014

Re: Machine Authentication Enforcement and server rules

But how would this handle a device that is a valid machine and valid user?

 

When machine auth is enabled when both user and machine auth pass  the user is put in a 802.1X fully authentication role.

 

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Machine Authentication Enforcement and server rules

This is not possible without a policy engine like ClearPass due to the behavior of machine authentication and the need to cache the machine auth.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Machine Authentication Enforcement and server rules

Cappalli is right , I didn't think of the cache role if you need to provide access based on Machine/User combination 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 7
Registered: ‎09-19-2014

Re: Machine Authentication Enforcement and server rules

Thank you.

 

But particularly, if i disable Enforce Machine authentication, will WIndows machines still authentictate as Machine first, then as user, even if not enforced?

 

 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Machine Authentication Enforcement and server rules

Yes, this is by design in Windows. You will not be able to "combine" the roles for a separate outcome.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎09-19-2014

Re: Machine Authentication Enforcement and server rules

Ok. 

 

So the valid windows device would be in Machine role, then when the user authenticates it would be in user role, but it would not transistion to the 802.1X Default role.  User would stay in User authentication Role.

 

I just want to make sure I get this clear.

 I fully understand the how it works with Enforce Machine auth ON, just not clear when it is disabled.

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Machine Authentication Enforcement and server rules

That's correct.

 

This setup will allow your Domain Laptops to receive the group policies at the logon screen.

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: