Security

last person joined: 24 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Machine + user authentication eap-tls

  • 1.  Machine + user authentication eap-tls

    Posted Aug 19, 2020 11:56 AM

    Hi All,

     

    I am using the Aruba wireless setup and want to use Machine + user certificate authentication.

     

    While testing i found that few PCs were sending machine authentication + user authentication roles and allowed them to the network but most of the PCs were sending only user authentication role and those were getting access denied by policy.

     

    Client PCs have the user and machine both the certificates. Also 802.1x client profile have the option "user or computer authentication" selected.

     

    How do I resolve this issue or shall I use only machine auth.

     

     

     

     



  • 2.  RE: Machine + user authentication eap-tls

    Posted Aug 19, 2020 12:06 PM

    Short answer: use only machine authentication.  Your users still have to login to their PCs successfully to get on the network and do anything.  A user who has never logged into a PC cannot get onto the wireless network if user+computer authentication is enabled.

     

     



  • 3.  RE: Machine + user authentication eap-tls

    Posted Aug 20, 2020 02:52 AM

    Hi Cjoseph,

     

    Thanks for quick response.

     

    What is the cause for the issue which I am facing currently.

    What is the best practices says , whether to use 2 certificate or single certificate.

     

     



  • 4.  RE: Machine + user authentication eap-tls

    Posted Aug 20, 2020 06:41 AM

    Machine authentication is  sent by the domain device only when the laptop is first booting up, or, when someone logs out of their computer.  So for people that  lock their computers and do not log out or shut down their computers, their machine authentication status expires in ClearPass after 24 hours, and is no longer machine authenticated.  You can extend that parameter in ClearPass to more than 24 hours, but that parameter tracks mac addresses of users who have machine authenticated and can be spoofed to imitate a machine that has already authenticated.  In addition, if a user has never authenticated to the machine before, their certificate is not in their user profile, so they cannot connect to the wireless.  Those reasons are why it is best to do machine-only authentication, instead of user and machine.

     

    I hope that makes sense.



  • 5.  RE: Machine + user authentication eap-tls

    Posted Aug 19, 2020 01:27 PM

    More info about Machine Auth.. seems like there are issue with it.

    https://community.arubanetworks.com/t5/Security/Windows-using-domain-machinename-during-Computer-Authentication/td-p/286551/page/3

    Maybe you could also update your progress there if you can solve yours.

     

    And this is how to solve it using regedit.

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Machine-authentication-fails-when-ssid-profile-pushed-via-GPO/ta-p/290978

     

     

    Best Regards

    Yopianus Linga



  • 6.  RE: Machine + user authentication eap-tls

    Posted Aug 19, 2020 01:30 PM

    The OP mentioned they are using certificates, not EAP-PEAP like the thread with the problem.