AFAIK, whenever a host authenticates successfully with a username that begins with "host/" that mac address is considered machine authenticated.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Oct 07, 2021 05:08 PM
From: Mark Demers
Subject: Clearpass Machine authentication
Hi Jerry,
I know this is an old one, but I was wondering if you ever got an answer on how the role [Machine Authenticated] is derived. I am working on this now and it kind of confuses me. I just see tons of discussions indicating you need to create an Endpoint attribute, but if I can avoid that it would be great.
Original Message:
Sent: Mar 22, 2019 07:41 PM
From: Jerry Bucklaew
Subject: Clearpass Machine authentication
I am trying to setup machine authentication on clearpass for an 802.1x wireless ssid. This will be EAP-TLS. I am having trouble understanding exactly how a device gets the [machine authenticated] role. I have searched and searched and everyone says stuff like.
"Domain machines attempt machine authentication with a username of host/<machine fqdn>. If clearpass sees a device pass authentication with that username it assumes it is a domain machine that has authenticated"
But it doesn't really answer the question. My service is not working and the alert says both "user not found" for ad and "unknown user" for EAP-TLS.
I am trying to figure out exactly what radius attribute is matched to what active directory attribute for machine authentication? So I can figure out why the user is not found.
is "Radius:IETF:User-Name" match to "AD dNSHostName" and if it matches a user is found? Since it is EAP-TLS i assume the user just has to be found in ad as there is no password.
I have searched and searched and just can not seem to find the answer anywhere.