Security

last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Guest role when machine authentication fail

  • 1.  Guest role when machine authentication fail

    Posted Mar 17, 2019 06:35 AM

    Dear All,

    One of cleinet requested to configure the clearpass as below. All laptopes which are ascociated with AD, need only mechine authentication. If mechine authentication fail, the laptos should go to guest-logon (guest captive portal should come up and will treat as guest). Same time the smart phones should go for user authentication (should connect by using own AD useranme and password).

     

    Here the guest captive portal is working fine as per service for Guest.

     

    I configured the mechine authentication and working fine. But once mechine authentication fail, both the Laptopes and smart phones are trying for user authentication (challenging for AD username and password). Any idea?

     

    Untitled.png



  • 2.  RE: Guest role when machine authentication fail

    Posted Mar 17, 2019 06:56 AM

    In principle, you would check in ClearPass to see if the device has passed user authentication, and you would return the aruba-user-role attribute of "guest-logon".  



  • 3.  RE: Guest role when machine authentication fail

    Posted Apr 18, 2019 05:45 AM

    Thamks cjoseph for your respnse.

     

    Here the exact requirements fro the client;

    - If a laptop user failed the mechine authentication, A message should show-up to "conatct IT department", istead of going to user authentication.
    - if a smartphone user faild mechine authentication, it should go to user authentication

     

    Is there any work around for this?

     

    Reg,

    Shamz



  • 4.  RE: Guest role when machine authentication fail

    Posted Apr 18, 2019 09:19 AM

    That is not a good flowchart.  If this is 802.1x, and a device fails authentication (machine or otherwise) it does not get an ip address, so there is nothing to redirect anywhere.

     

    A device cannot be prompted to machine authenticate.  It can attempt with a username of host/<machine name>.  Again, if it fails, it doesn't get an ip address, so there is nothing to redirect.

     

    If your customer only wants an SSID ONLY for devices that can machine authenticate, they should only accept devices in the domain machines AD group and reject anything else.