Wireless Access

Hello,

I wanna use machine authentication on WIN7. WHat should I configure on WIN7 if I wanna use only machine authentication and what should I configure on WIN7 if I wanna use it with 802.1x.

For machine authentication do I need to also configure EAP-PEAP, maschap, ..? Or I just leave it blank and I dont care about that.

How does the authentication process works? In which ROLE do I use machine authentication (initial or default)? Exact communication process is missing for me.

Thanks,

Vulpe

Hi Vulpe,

There are a few steps to enable machine authentication on directly on Windows 7, however I would strongly advise managing this via Group Policy (steps are in here, obviously chose Computer authentication rather than User as the article implies - Technet).

1.  Open services.msc and set the Wired AutoConfig service to automatic.

2.  Start the Wired AutoConfig service.

With this done you should be able to see the "Authentication" tab on when you open the properties screen for your Network adapter...

3.  Ensure "Enable IEEE 802.1X authentication" is ticked then click on "Additional Settings"

4.  Ensure "Specify authentication mode" is ticked and select "Computer authentication" on the drop down box.

At this point you may want to give some consideration to whether or not you want to validate the certificate presented by ClearPass to the machine when it tries to authenticate, if you are using a self-signed certificate you may want to disable this check or alternatively install the root certificate on the Windows 7 machine so that self-signed certificates generated by ClearPass are trusted.  Other options (installing proper 3rd party (Verisign, etc) certificates, or using your corporate PKI are also feasible).

Either way, with these settings in place your machine should be capable of doing machine authentication only.

With regards to roles on ClearPass, I'm not sure I can answer whether or not you should be using initial or default service but I can tell you how we have configured our system and roughly how we did it.

1.  Join the ClearPass appliance to Active Directory (this can be done via Policy Manager - Administration - Server Manager - Server Configuration).

2.  Create a new Authentication Source and set the type to Active Directory, fill in the relevant details for the domain you wish to authenticate against (Hostname, Bind DN etc).

3.  You will need to add your new Authentication Source to your 802.1x Wired service, you will also need [EAP PEAP] set as an Authentication Method.

3.  We have a created a role mapping that has the following condition - Authorization: Active Directory: HostName EXISTS and mapped that to a role called ROLE-COMPUTERINAD, you may wish to add an additional condition that checks the device is using EAP-MSCHAPv2 as an inner method (so Authentication:InnerMethod EQUALS EAP-MSCHAPv2).

4.  We then use an Enforcement Policy to pass back a specific profile based on which Role the device has.

This should be sufficient to authenticate the computer via ClearPass, although I can't promise that I haven't missed anything out as it's been sometime since I had to look at this particular part of the process.  Obvious ommisions are any switch configuration etc.

Thanks,

Matt.

Wired or wireless?

What authentication server are you using?

Does your controller have PEFNG licenses?

I am using wireless, ClearPass with PEGNG.

OK, if I configure machine authentication only on PC with 802.1x enabled, do I get also popup window with username and password for 802.1x authentication or this is automatically disabled because of machine authentication? If I eneble user and machine authentication, do I get both 802.1x with username/password and machine authentication?

If you use machine authentication only, there should not be a popup for username and password.  The computer will use it's hostname as the username and the SID (security identifier) as the password.

Thanks