last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Machine authentication

This thread has been viewed 24 times
  • 1.  Clearpass Machine authentication

    Posted Mar 22, 2019 07:41 PM

    I am trying to setup machine authentication on clearpass for an 802.1x wireless ssid.  This will be EAP-TLS.  I am having trouble understanding exactly how a device gets the [machine authenticated] role.  I have searched and searched and everyone says stuff like.


    "Domain machines attempt machine authentication with a username of host/<machine fqdn>.  If clearpass sees a device pass authentication with that username it assumes it is a domain machine that has authenticated"


    But it doesn't really answer the question.  My service is not working and the alert says both "user not found" for ad and "unknown user" for EAP-TLS.  


    I am trying to figure out exactly what radius attribute is matched to what active directory attribute for machine authentication? So I can figure out why the user is not found.


    is "Radius:IETF:User-Name" match to "AD dNSHostName" and if it matches a user is found?  Since it is EAP-TLS i assume the user just has to be found in ad as there is no password.


    I have searched and searched and just can not seem to find the answer anywhere.

  • 2.  RE: Clearpass Machine authentication

    Posted Oct 07, 2021 05:09 PM
    Hi Jerry,

    I know this is an old one, but I was wondering if you ever got an answer on how the role [Machine Authenticated] is derived. I am working on this now and it kind of confuses me. I just see tons of discussions indicating you need to create an Endpoint attribute, but if I can avoid that it would be great.


  • 3.  RE: Clearpass Machine authentication

    Posted Oct 07, 2021 05:36 PM
    AFAIK, whenever a host authenticates successfully with a username that begins with "host/" that mac address is considered machine authenticated.

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.