Security

Hi all

I have a couple questions regarding 802.1x services 

1-  Is it possible to force only  domain computers to connect to corporate 802.1x ssid?
machine authentication?

 2. On the guest ssid , is it possible to block domain computers to access the ssid  ( its in another vlan and in separate traffic from the Core) 
( this can be done also by GPO i know that)

------------------------------
Bruno Costa
------------------------------

1. Yes
2. Yes

Just check for AD account in Role Mapping policy and act accordingly.

Best, Gorazd

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Jul 14, 2021 06:50 PM
From: Bruno Costa
Subject: Clearpass only allow domain computers 802.1x service

Hi all

I have a couple questions regarding 802.1x services 

1-  Is it possible to force only  domain computers to connect to corporate 802.1x ssid?
machine authentication?

 2. On the guest ssid , is it possible to block domain computers to access the ssid  ( its in another vlan and in separate traffic from the Core) 
( this can be done also by GPO i know that)

------------------------------
Bruno Costa
------------------------------

Using Computer Only / Machine Authentication is indeed the easiest way to achieve objective 1.

To prevent domain computers on the Guest network, it is harder as they don't authenticate on an open/PSK network typically used for Guest. One option is to use 'Update Endpoint' in the 802.1X service and put an attribute in the Endpoint database when a client does a successful Machine Authentication. Then in Guest you can check if the attribute is there (enable MAC authentication if you haven't yet) and either block or return a role/VLAN/captive portal redirect such that the user understands they should not be doing that. Another option is to use a Group Policy and push an SSID configuration for the same SSID name as your Guest, but with incompatible authentication parameters. For example configure PSK with a bogus PSK, if the Guest network is open or PSK with another key. Good thing is that Windows (at least) will prevent users from connecting to such a network, and they can't remove the network configuration pushed by the GPO either, so pretty effective.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 14, 2021 06:50 PM
From: Bruno Costa
Subject: Clearpass only allow domain computers 802.1x service

Hi all

I have a couple questions regarding 802.1x services 

1-  Is it possible to force only  domain computers to connect to corporate 802.1x ssid?
machine authentication?

 2. On the guest ssid , is it possible to block domain computers to access the ssid  ( its in another vlan and in separate traffic from the Core) 
( this can be done also by GPO i know that)

------------------------------
Bruno Costa
------------------------------

Dear  Herman Robers

Please help me , how to config option ?
User Domain      --> cannot be Onboard
Device in Domain + User Domain --> Onboard

------------------------------
Son Nguyen
------------------------------

Original Message:
Sent: Jul 15, 2021 05:21 AM
From: Herman Robers
Subject: Clearpass only allow domain computers 802.1x service

Using Computer Only / Machine Authentication is indeed the easiest way to achieve objective 1.

To prevent domain computers on the Guest network, it is harder as they don't authenticate on an open/PSK network typically used for Guest. One option is to use 'Update Endpoint' in the 802.1X service and put an attribute in the Endpoint database when a client does a successful Machine Authentication. Then in Guest you can check if the attribute is there (enable MAC authentication if you haven't yet) and either block or return a role/VLAN/captive portal redirect such that the user understands they should not be doing that. Another option is to use a Group Policy and push an SSID configuration for the same SSID name as your Guest, but with incompatible authentication parameters. For example configure PSK with a bogus PSK, if the Guest network is open or PSK with another key. Good thing is that Windows (at least) will prevent users from connecting to such a network, and they can't remove the network configuration pushed by the GPO either, so pretty effective.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 14, 2021 06:50 PM
From: Bruno Costa
Subject: Clearpass only allow domain computers 802.1x service

Hi all

I have a couple questions regarding 802.1x services 

1-  Is it possible to force only  domain computers to connect to corporate 802.1x ssid?
machine authentication?

 2. On the guest ssid , is it possible to block domain computers to access the ssid  ( its in another vlan and in separate traffic from the Core) 
( this can be done also by GPO i know that)

------------------------------
Bruno Costa
------------------------------

This follow-up is out of scope. And the same questions has been answered here. You should not use onboard for managed devices, and I'm not aware of a method to find out if a device is part of the domain without doing that by a computer authentication, which is the recommended way for domain-joined computers to access the network. One option that might work is to use MSCHAPv2 with the computer account initially, put the computer in a specific VLAN, then anly allow Onboarding from that VLAN. It may be better to work with your partner or local Aruba SE to find out what you should be implementing as the use-case is not what Onboard is designed for and the onboarding and each time the certificate expires will require manual interaction from the end-user. Group Policies or MDM are the preferred methods by magnitudes.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 15, 2021 06:15 AM
From: Son Nguyen
Subject: Clearpass only allow domain computers 802.1x service

Dear  Herman Robers

Please help me , how to config option ?
User Domain      --> cannot be Onboard
Device in Domain + User Domain --> Onboard

------------------------------
Son Nguyen

Original Message:
Sent: Jul 15, 2021 05:21 AM
From: Herman Robers
Subject: Clearpass only allow domain computers 802.1x service

Using Computer Only / Machine Authentication is indeed the easiest way to achieve objective 1.

To prevent domain computers on the Guest network, it is harder as they don't authenticate on an open/PSK network typically used for Guest. One option is to use 'Update Endpoint' in the 802.1X service and put an attribute in the Endpoint database when a client does a successful Machine Authentication. Then in Guest you can check if the attribute is there (enable MAC authentication if you haven't yet) and either block or return a role/VLAN/captive portal redirect such that the user understands they should not be doing that. Another option is to use a Group Policy and push an SSID configuration for the same SSID name as your Guest, but with incompatible authentication parameters. For example configure PSK with a bogus PSK, if the Guest network is open or PSK with another key. Good thing is that Windows (at least) will prevent users from connecting to such a network, and they can't remove the network configuration pushed by the GPO either, so pretty effective.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 14, 2021 06:50 PM
From: Bruno Costa
Subject: Clearpass only allow domain computers 802.1x service

Hi all

I have a couple questions regarding 802.1x services 

1-  Is it possible to force only  domain computers to connect to corporate 802.1x ssid?
machine authentication?

 2. On the guest ssid , is it possible to block domain computers to access the ssid  ( its in another vlan and in separate traffic from the Core) 
( this can be done also by GPO i know that)

------------------------------
Bruno Costa
------------------------------