View Only
last person joined: 18 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Enforcing both User and Machine auth with ClearPass

Jump to Best Answer
This thread has been viewed 19 times
  • 1.  Enforcing both User and Machine auth with ClearPass

    Posted Jan 25, 2022 10:12 PM

    We are trying to enforce both user and machine authentication on Windows 10 PCs. We have an active directory controller and clearpass 6.8.
    On the Windows 10 PC, the 802.1X setting I choose is "User or Computer Authentication".
    I was hoping that once the computer is authenticated against the AD (we have an authentication source as our AD), the user authentication will kick in on the client PC but it doesn't.
    The computer authentication goes through fine but what should I do to make sure the PC starts user authentication afterwards. The user authentication is username/password based.

    Any ideas how this might work.


  • 2.  RE: Enforcing both User and Machine auth with ClearPass
    Best Answer

    Posted Jan 26, 2022 01:04 AM
    User authentication only occurs at the time a user actually logs in.  Machine authentication occurs at the ctrl-alt-delete screen.  If  user logs off, that could trigger machine authentication.

    Most secure environments eventually settle on EAP-TLS with machine-only authentication, since the computer itself will enforce user authentication.  The machine will also have access to the network at the CTRL-ALT delete screen to be remotely updated and for group policy updates.

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

  • 3.  RE: Enforcing both User and Machine auth with ClearPass

    Posted Jan 26, 2022 05:01 AM
    Thanks Joseph, that clarifies it and it worked out fine as well, much obliged.

    ali amjad

  • 4.  RE: Enforcing both User and Machine auth with ClearPass

    Posted Jan 26, 2022 12:16 PM

    There is another option here if you are running a new enough version of Windows10.  Roughly a year ago Windows released support for the EAP-TEAP protocol which allows for a simultaneous USER and Machine Authentication.  For me personally, i can't do without the user Auth because it contains all of the valuable Security group memberships associated only with the user account.  These groups are frequently used in the policy.  Clearpass does support this protocol but be sure that all of your devices are on a new enough version of Win10 to utilize it.  It will work with both EAP-TLS and EAP-PEAP but the preference of course will be TLS.

    Jeff Davitt