Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Machine Authentication

Jump to Best Answer
  • 1.  Machine Authentication

    Posted Oct 08, 2014 10:27 AM

    Hi Everyone..

     

    I am trying to be able to have a domain based laptop authenticate a user that has never logged into the laptop before.  The Windows laptop is in the domain, i have checked the box to enforce machine authentication, but in the logs on the controller I am seeing the MAC address of the machine trying to log into the controller locally.

     

    If I test with an account that has logged into the laptop prior, I am able to associate to the SSID without issue using RADIUS.  I am not having a problem with that.

     

    I need to be able to get the machine (the laptop) to associate to the SSID prior to any user logon so as I can then get the user that has never logged in prior to authenticate properly!  I have played with the profiles, but either I am missing something or need to change the profile becasue I can't seem to find the way to "tell" the incoming machine association to use RADIUS.

     

    What have I missed?



  • 2.  RE: Machine Authentication

    Posted Oct 08, 2014 10:32 AM

    Do you have a policy on your RADIUS server allowing Domain Computers to authenticate?



  • 3.  RE: Machine Authentication

    Posted Oct 08, 2014 10:40 AM

    I have the default RADIUS piece, but have read what you are talking about.  So, in other words, if I am reading into what you are saying: If I dont have the policy setup on the NPS server it will default to local on the controller?  I guess where I am going with this, is shouldnt I see teh machine failing against radius first on NPS and on the controller?

     

    The only error i am seeing is on the controller where is is basically saying <ERRS> |localdb|  User a0:88:xx:xx:xx:48 Failed Authentication..

     

    I will go to NPS now and add the policy..



  • 4.  RE: Machine Authentication

    Posted Oct 08, 2014 10:41 AM

    Sounds like you have the Internaldb set as your server-group.



  • 5.  RE: Machine Authentication

    Posted Oct 08, 2014 10:47 AM

    Well, maybe looking at the wrong spot on the GUI, but the profile (which includes the user autehntication) has the policy to go to radius.  In the profiles to use a machine, where and which attribute needs changed?  

     

    Basically, I have a profile built that is using radius for the user, I have checked the box to enforce machine authentication, is this not all of it?



  • 6.  RE: Machine Authentication

    Posted Oct 08, 2014 10:50 AM

    Can you post your AAA profile?

     

    Also, here's an explanation of how the local-userdb is involved in machine authentication.

     

    http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440

     



  • 7.  RE: Machine Authentication

    Posted Oct 08, 2014 10:55 AM

    Here is the profile I have (again the user side is working great) - but that user has had to have logged in wired first...

     

    aaa profile "hir-adauth-profile"
       mac-default-role "authenticated"
       mac-server-group "hir-adauth-802.1x-server-group"
       authentication-dot1x "hir-adauth-802.1x-profile"
       dot1x-default-role "authenticated"
       dot1x-server-group "hir-adauth-802.1x-server-group"



  • 8.  RE: Machine Authentication

    Posted Oct 08, 2014 10:57 AM

    OK. Once you allow "Domain Computers" on your RADIUS server, this should start working correctly.



  • 9.  RE: Machine Authentication

    Posted Oct 08, 2014 11:14 AM

    Ok - so got an error at least on the radius server, now have to dig to undersatnd why.  The PC i am using is in the domain, but the error I am seeing is:

     

    Authentication was not successful because an unknown user name or incorrect password was used.  



  • 10.  RE: Machine Authentication
    Best Answer

    Posted Oct 08, 2014 12:34 PM

    Do you have termination done at the controller or your radius server?



  • 11.  RE: Machine Authentication

    Posted Oct 08, 2014 12:44 PM

    If you are asking if the termination check box is checked, then yes and I can authenticate my user account, but the computer account is being denied by NPS.  I have found numerous google kungfoo on this and tried everything for hours. 

     

    Again, user = ok ; computer account making it to NPS server, but being denied.  I have hadded doma\domain computers to the policy...



  • 12.  RE: Machine Authentication
    Best Answer

    Posted Oct 08, 2014 12:50 PM

    You cannot use Machine Authentication with EAP termination. You need to terminate EAP sessions on your RADIUS server.



  • 13.  RE: Machine Authentication

    Posted Oct 08, 2014 12:55 PM

    Tim, So now a bit confused with the last statement.  With the termination box checked, does that forward the incoming authentication to the NPS box?  Also, if I can't do this, then how do I have USER auth and MACHINE auth in differnte profiles??

     

    I thought that the machine account would get forwarded from the controller, just as the user, to the NPS box.  However, teh controller will "cache" the machine account for auth purposes and then cache it out..

     



  • 14.  RE: Machine Authentication

    Posted Oct 08, 2014 12:57 PM

    If you want to use machine authentication, you'll need to disable termination on the controller.

     

    Do you have an Aruba partner? There are some things you need to consider when switching to RADIUS server termination. 



  • 15.  RE: Machine Authentication

    Posted Oct 08, 2014 01:12 PM

    I got it - unchecked the termination box and then fixed NPS for auth method.  Thanks for your help!

     

     



  • 16.  RE: Machine Authentication

    Posted Nov 11, 2015 07:39 AM

    Hi Cappalli,

    If we use EAP-TLS with Radius authentication returning VLAN, may we disable the "machine-authentication"?

    The Aruba partner did this configuration since the initial instalation but I think we don't need this.

    Thank you.

    zemarcio



  • 17.  RE: Machine Authentication

    Posted Nov 11, 2015 08:23 AM

    You can configure 802.1x for both user and machine authentication . This hightens the authentication process further, since both the device and user need to be authenticated. Do you require machine authentication in your enviroment? Essentially a particular role can be assigned based on whether the machine passes authentication. However is there is a server-derived role, the server-derived role takes precedence.



  • 18.  RE: Machine Authentication

    Posted Nov 11, 2015 10:33 AM
    Yes, you can use EAP-TLS.


    Thanks,
    Tim