Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

"Enforce Machine Authentication" Clarification

Jump to Best Answer
  • 1.  "Enforce Machine Authentication" Clarification

    Posted Jul 20, 2019 05:22 PM

    Hello,

     

    I'm studying for ACMP, and reviewing the Advanced Security module.

     

    I understand what machine authentication is, and how it works compared to user authentication.

     

    But I don't get exactly what the option "Enforce Machine Authentication" is doing.

     

    • Does this mean the user won't be able to authenticate unless the machine is authenticated?
    • Is it the same as EAP Chaining?

    EAP Chaining is doing machine + user authentication in the same EAP session, which requires that the supplicant can support EAP Chaining.

     

    I would think that this option is different from EAP Chaining, in the sense that Windows machine would authenticate at bootup, and user will authenticate at logon.

     

    Someone can clarify on this option?

     

    Thanks,

    Andre.



  • 2.  RE: "Enforce Machine Authentication" Clarification
    Best Answer

    Posted Jul 20, 2019 06:05 PM


  • 3.  RE: "Enforce Machine Authentication" Clarification

    Posted Jul 20, 2019 06:19 PM

    Thanks for quick reply.

     

    I understand better now, this is all down to the role assigned, which will depend on the machine + user authentication status, as described here:

    Machine Auth Status

    User Auth Status

    Description

    Role Assigned

    Failed

    Failed

    Both machine authentication and user authentication failed. L2 authentication failed.

    No role assigned. No access to the network allowed.

    Failed

    Passed

    Machine authentication failed (for example, the machine information is not present on the server) and user authentication succeeded. Server-derived roles do not apply.

    Machine authentication default user role configured in the 802.1X authentication profile.

    Passed

    Failed

    Machine authentication succeeded and user authentication has not been initiated. Server-derived roles do not apply.

    Machine authentication default machine role configured in the 802.1X authentication profile.

    Passed

    Passed

    Both machine and user are successfully authenticated. If there are server-derived roles, the role assigned via the derivation take precedence. This is the only case where server-derived roles are applied.

    A role derived from the authentication server takes precedence. Otherwise, the 802.1X authentication default role configured in the AAA profile is assigned.

     

    I'm more familiar with Cisco, and this is really different from how they handle authentication.

     

    The use of roles in Aruba architecture allows to much more flexibility !