Security

Hello,

We are trying to enforce both user and machine authentication on Windows 10 PCs. We have an active directory controller and clearpass 6.8.
On the Windows 10 PC, the 802.1X setting I choose is "User or Computer Authentication".
I was hoping that once the computer is authenticated against the AD (we have an authentication source as our AD), the user authentication will kick in on the client PC but it doesn't.
The computer authentication goes through fine but what should I do to make sure the PC starts user authentication afterwards. The user authentication is username/password based.

Any ideas how this might work.

Thanks,
Ali

User authentication only occurs at the time a user actually logs in.  Machine authentication occurs at the ctrl-alt-delete screen.  If  user logs off, that could trigger machine authentication.

Most secure environments eventually settle on EAP-TLS with machine-only authentication, since the computer itself will enforce user authentication.  The machine will also have access to the network at the CTRL-ALT delete screen to be remotely updated and for group policy updates.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 25, 2022 10:12 PM
From: ali amjad
Subject: Enforcing both User and Machine auth with ClearPass

Hello,

We are trying to enforce both user and machine authentication on Windows 10 PCs. We have an active directory controller and clearpass 6.8.
On the Windows 10 PC, the 802.1X setting I choose is "User or Computer Authentication".
I was hoping that once the computer is authenticated against the AD (we have an authentication source as our AD), the user authentication will kick in on the client PC but it doesn't.
The computer authentication goes through fine but what should I do to make sure the PC starts user authentication afterwards. The user authentication is username/password based.

Any ideas how this might work.

Thanks,
Ali

Thanks Joseph, that clarifies it and it worked out fine as well, much obliged.

------------------------------
ali amjad
------------------------------

Original Message:
Sent: Jan 26, 2022 01:03 AM
From: Colin Joseph
Subject: Enforcing both User and Machine auth with ClearPass

User authentication only occurs at the time a user actually logs in.  Machine authentication occurs at the ctrl-alt-delete screen.  If  user logs off, that could trigger machine authentication.

Most secure environments eventually settle on EAP-TLS with machine-only authentication, since the computer itself will enforce user authentication.  The machine will also have access to the network at the CTRL-ALT delete screen to be remotely updated and for group policy updates.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 25, 2022 10:12 PM
From: ali amjad
Subject: Enforcing both User and Machine auth with ClearPass

Hello,

We are trying to enforce both user and machine authentication on Windows 10 PCs. We have an active directory controller and clearpass 6.8.
On the Windows 10 PC, the 802.1X setting I choose is "User or Computer Authentication".
I was hoping that once the computer is authenticated against the AD (we have an authentication source as our AD), the user authentication will kick in on the client PC but it doesn't.
The computer authentication goes through fine but what should I do to make sure the PC starts user authentication afterwards. The user authentication is username/password based.

Any ideas how this might work.

Thanks,
Ali

Ali,

There is another option here if you are running a new enough version of Windows10.  Roughly a year ago Windows released support for the EAP-TEAP protocol which allows for a simultaneous USER and Machine Authentication.  For me personally, i can't do without the user Auth because it contains all of the valuable Security group memberships associated only with the user account.  These groups are frequently used in the policy.  Clearpass does support this protocol but be sure that all of your devices are on a new enough version of Win10 to utilize it.  It will work with both EAP-TLS and EAP-PEAP but the preference of course will be TLS.

------------------------------
Jeff Davitt
------------------------------

Original Message:
Sent: Jan 25, 2022 10:12 PM
From: ali amjad
Subject: Enforcing both User and Machine auth with ClearPass

Hello,

We are trying to enforce both user and machine authentication on Windows 10 PCs. We have an active directory controller and clearpass 6.8.
On the Windows 10 PC, the 802.1X setting I choose is "User or Computer Authentication".
I was hoping that once the computer is authenticated against the AD (we have an authentication source as our AD), the user authentication will kick in on the client PC but it doesn't.
The computer authentication goes through fine but what should I do to make sure the PC starts user authentication afterwards. The user authentication is username/password based.

Any ideas how this might work.

Thanks,
Ali