Wireless Access

Hi

I understand EAP methods used in 802.1x authentication. What I am confused about is which component enforces Machine and/or user authentication. Does authentication server also needs to enforce the same once supplicant tries to connect on a WLAN. What is sequence of operation in both Machine and user authentication and that each user/machine authentication have separate sessions established during 802.1x authentication?

 

Thanks

Karan

The device switches credential sets after the user logs in. Your radius server must be configured to support both machine and user.

Thanks,
Tim

I could not understand...

When Windows boots up and gets to the logon screen, it authenticates to the network using the computer's account. Once a user has logged in, it will re-authenticate to the network with the user's account. When a user logs out and goes back to the logon screen, it re-authenticates with the computer account.

ok so as per this machine and user authenticate using their own credentials which implies there are going to be two separate session authentication from same device to authentication server. Now if EAP method negotiated is EAP-TLS does that mean same client certificate is used for both machine and user authentication because in this case credentials will be certificate since EAP-TLS supports cert authentication and not username/password, if I am not wrong.Please suggest.

 

1. Lets say Windows 7 has WLAN "corporate" and uses computer or user authentication

2. Authentication method is PEAP-MSCHAPv2.

3. Virtual profile on Controller has SSID "corporate" which has 802.1X profile with default role for both machine and user.

As per previous discussion does Windows perform both Machine and user authentication by or is it because WLAN "corporate" is configured to do so?

 

Second since Authentication method is PEAP-MSCHAPv2:

1. For machine Authentication which credentials are used(username/password)

2. Is there going to be another session authentication for user?

 

Thanks

Karan

This shoyuld set you on the path to understanding:

 

The way the "enforce machine auth" auth works is by keeping track of which machines (by mac address) have successfully passed 802.1x with their machine credentials (for AD this is their computer name/account) and applying a role derivation scheme that takes this into consideration when they pass 802.1x authentication with their user credentials. The important thing to note here is that the computer will only do one OR the other based on the state of the user being logged in or not, NOT both at the same time. For example in XP using PEAP, if "Authenticate as computer when computer information is available" checkbox is set in the Authentication tab of your Wireless setting, the computer will do the following:

- If user logged of or during a reboot before a user logs on computer will auth with its computer name against AD with the SID that was assigned when the computer was joined to the domain
- Once user logs onto Windows, the computer will log off the computer via 802.1x and authenticate as the user via 802.1x
- If the user logs off, the computer will log off the user via 802.1x and log on with the computer account again.

So, the Aruba will see "host/computer-name.domain" authenticate when the computer uses its account and will mark this as this being a valid domain PC. We will keep track of this in the internal database of the controller and put the machine in the "default machine role" defined in the dot1x-profile. Once we see the user log on as "domain/user" we will switch the user to the 802.1x default-role IF the same machine passed machine auth previously or place it in the "default user role" if it did not.

So, what this means is, to place iPhones and the like in a separate role from domain devices when users use the same credentials, you would set the roles up as follows:

- Default-Machine-Role = Whatever you want a computer with no user logged into it to have access to. I would suggest allowing communication to the domain controller, DHCP, DNS, and the like so that when the user does log on, they can run scripts and the like.
- Default-User-Role = Role for NON domain devices with domain users
- Default-Dot1x-Role = Role for domain devices with domain users

The matrix above only gets kicked in if "enforce machine auth" is enabled, otherwise any successful 802.1x auth will be placed in the 802.1x default role.

One caveat is that you have to be aware of the cache period that we keep track of the valid domain machines for. By default this is 24 hours. So, lets say that you are already logged onto your computer as your user and you walk into the building and the computer logs onto the network with your user credentials (since you are logged on), if this is past the 24 hour period that the system last saw that device log on as a computer, you will be treated as a non-domain device until you log off from Windows and log back on.

 

Shamelessly copied from here: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/802-1x-Machine-and-User-Authentication/m-p/8887#M3380

 

Cheers

James

Ok that was big of a response.bouncer for me:

 

1. When Windows boots up does it generally attempt machine authentication always despite of fact if 802.1x is configured or not? and if this behaviour is just because of 802.1x that machine scans wireless and that controller initiates 802.1x session?

2. If I just have user authentication configured in wireless profile then will it even attempt machine authentication?

3. If I use "user authentication" on supplicant and "Machine+user Auth" on Controller then what.enforce Machine Auth is unchecked on controller.

4. If I use "user authentication" on supplicant and "Machine+user Auth" on Controller then what.With enforce Machine Auth on controller.

 

Please address these questions as I have already gone through many docs.

 

Thanks

Karan

1.  Windows attempt machine authentication over wireless using 802.1x based on how its supplicant is configured.  This can be done with group policy or manually.  If the computer is connecting to an open or preshared key network, it will attempt machine authentication on boot up just like if it is wired.  The difference in the 802.1x boot up is that on 802.1x, you do not have an IP address before you authenticate, so the machine needs to use machine credentials on boot up to connect to the network.

2. No

3. Enforce Machine authentication on the controller is only to detect what authentication combination has occurred and give the device a role based on the result. In practice it is more flexible to manage this on ClearPass or a radius server that can make decision on machine authentication, rather than using the controller.

4. If a device is configured for user authentication only, the controller will not put the device in a role that requires both machine and user authentication.

Thanks...So assumably if I only have "user authenitcation" on my wireless profile the supplicant on client will not attempt machine authentication.Does that mean I will not have an IP address until I login because supplicant will attempt/initiate "user authentication" only once I login or since Controller detetcs client on that WLAN and will initiate EAP session and will assign initial role(for that AAA profile) until user authentication is complete.

The 802.1x standard specifies that you get an IP address after you have authenticated.

Machine credentials are used for a mmachine authentication. User credentials are used for a user authentication.

Thanks,
Tim

Not helpful..If you can address my above questions would be more helpful.