Wireless Access

Clearpass policy is configured to require Machine and User authentication before providing full access enforcement profile. This was designed to ensure only corporate, domain joined and trusted computers are getting full access to the private network. Any auths not performing a Machine auth get a restricted role or no access. 

A common scenario is that a user comes into work, docks down a domain joined laptop, boots up and logs into Windows. At this point, Machine Authentication has not been sent to Clearpass. The user may eventually undock the laptop to head into a meeting. The wireless adapter comes up and Authenticates against clearpass. Since Clearpass has not seen a Machine Auth, it will not pass propper policy and the user is left in a restricted role. 

Anyone know of a good dynamic solution for this? I found this article but it is a very manual effort to add an new attributes to the endpoint. I am hoping there is a better way. Any new windows machines added to the domain will take a manual effort to configure in clearpass.

http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/580

I don't understand why the machine auth would not be sent.

We use Windows 10 laptops on docking stations and do not experience this problem. (We do not require user auth except in the absence of machine auth). So for a domain joined computer, it pulls the credentials of the domain user who is logged in. No further interaction required from the end user.

The wired connection is not configured for 802.1x therefor a Machine Auth is not sent to Clearpass (there is no device to send it). 

Machine Auths are only sent at the following times...

Machine Boot - Before logon

Logoff or Reboot

Also, this is only an issue if the user has not performed a machine auth during the period that is set for the machine auth cache in clearpass.  IE.. if the machine auth cache is set to a week, they can stay docked on the wired connection for say 6 days, undock and easily transition to wireless since the Machine Auth is still cached. The machine cache timer in clearpass is also reset/refreshed every time the machine does a new machine auth. 

So some people will configure the machine auth in clearpass to last for several days. So a user reboot (while on wireless) would usually resolve the situation. Then, most likely, they will boot up/shut down sometime within a week which in turn renews the cache in Clearpass. 

I combine them together. For example

Machine Auth - Success

User Auth - Success

MemberOf - Finance

= Finance Role

I thin repeat this for other group memberships. The Policy is much more complex then this but this is the general idea. 

I may not be fully understanding what you are describing but it sounds like you are giving machine auth and user auth the same access? If so, why not just configure Windows to only use Machine auth? I'd have to test this to verify but I think when you do this the Windows PC will machine auth at the times you mentioned AND when the user logs in. I included a screenshot of the setting I'm referring to.

Edit: fixed off to auth

Nm, re-read what you posted and it looks like you are using User auth to give roles based on department. My above post wouldn't work in that scenario.

"Machine Auths are only sent at the following times...

Machine Boot - Before logon

Logoff or Reboot"

Interesting. I was not aware of the limitation. It seems like switching from the wired adapter to WiFi would be a good time to send machine auth but what do I know. My wired is not configured for dot1x either, but I do have a long caching period so that may be why I don't experience the issue.