Wireless Access

Reply

Windows - Machine Auth and Docking Stations - Clearpass

Clearpass policy is configured to require Machine and User authentication before providing full access enforcement profile. This was designed to ensure only corporate, domain joined and trusted computers are getting full access to the private network. Any auths not performing a Machine auth get a restricted role or no access. 

 

A common scenario is that a user comes into work, docks down a domain joined laptop, boots up and logs into Windows. At this point, Machine Authentication has not been sent to Clearpass. The user may eventually undock the laptop to head into a meeting. The wireless adapter comes up and Authenticates against clearpass. Since Clearpass has not seen a Machine Auth, it will not pass propper policy and the user is left in a restricted role. 

 

Anyone know of a good dynamic solution for this? I found this article but it is a very manual effort to add an new attributes to the endpoint. I am hoping there is a better way. Any new windows machines added to the domain will take a manual effort to configure in clearpass.

 

http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/580

 

 

 

Frequent Contributor I

Re: Windows - Machine Auth and Docking Stations - Clearpass

 

I don't understand why the machine auth would not be sent.

We use Windows 10 laptops on docking stations and do not experience this problem. (We do not require user auth except in the absence of machine auth). So for a domain joined computer, it pulls the credentials of the domain user who is logged in. No further interaction required from the end user.

 

 

Re: Windows - Machine Auth and Docking Stations - Clearpass

The wired connection is not configured for 802.1x therefor a Machine Auth is not sent to Clearpass (there is no device to send it). 

 

Machine Auths are only sent at the following times...

Machine Boot - Before logon

Logoff or Reboot

 

Also, this is only an issue if the user has not performed a machine auth during the period that is set for the machine auth cache in clearpass.  IE.. if the machine auth cache is set to a week, they can stay docked on the wired connection for say 6 days, undock and easily transition to wireless since the Machine Auth is still cached. The machine cache timer in clearpass is also reset/refreshed every time the machine does a new machine auth. 

 

So some people will configure the machine auth in clearpass to last for several days. So a user reboot (while on wireless) would usually resolve the situation. Then, most likely, they will boot up/shut down sometime within a week which in turn renews the cache in Clearpass. 

 

 

Guru Elite

Re: Windows - Machine Auth and Docking Stations - Clearpass

Are you actually giving users different policies based on who they are or just checking corporate asset?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Windows - Machine Auth and Docking Stations - Clearpass

"Machine Auths are only sent at the following times...

Machine Boot - Before logon

Logoff or Reboot"

 

Interesting. I was not aware of the limitation. It seems like switching from the wired adapter to WiFi would be a good time to send machine auth but what do I know. My wired is not configured for dot1x either, but I do have a long caching period so that may be why I don't experience the issue.

 

 

Re: Windows - Machine Auth and Docking Stations - Clearpass

I combine them together. For example

 

Machine Auth - Success

User Auth - Success

MemberOf - Finance

= Finance Role

 

I thin repeat this for other group memberships. The Policy is much more complex then this but this is the general idea. 

Contributor I

Re: Windows - Machine Auth and Docking Stations - Clearpass

I may not be fully understanding what you are describing but it sounds like you are giving machine auth and user auth the same access? If so, why not just configure Windows to only use Machine auth? I'd have to test this to verify but I think when you do this the Windows PC will machine auth at the times you mentioned AND when the user logs in. I included a screenshot of the setting I'm referring to.

 

machine_auth_setting.PNG

Edit: fixed off to auth

Contributor I

Re: Windows - Machine Auth and Docking Stations - Clearpass

Nm, re-read what you posted and it looks like you are using User auth to give roles based on department. My above post wouldn't work in that scenario.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: