View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Backup machine auth cache?

This thread has been viewed 15 times
  • 1.  Backup machine auth cache?

    Posted May 23, 2024 09:58 AM

    quick question.

    What database contains the machine auth cache and more importantly: is that backed up with a standard backup?  (config only? insight?)
    Will it survive a backup/restore?

  • 2.  RE: Backup machine auth cache?
    Best Answer

    Posted May 23, 2024 10:05 AM

    The information is stored in the battery (cache) and not permanently kept.

    Carson Hulcher, ACEX#110

  • 3.  RE: Backup machine auth cache?

    Posted May 23, 2024 10:14 AM

    That means it will NOT be backed up then?  

  • 4.  RE: Backup machine auth cache?

    Posted May 23, 2024 10:19 AM


    Carson Hulcher, ACEX#110

  • 5.  RE: Backup machine auth cache?

    Posted May 23, 2024 10:21 AM

    In general, I never recommend using the [Machine Authenticated] role for anything.  There are better and more consistent methods for determining computer authentication state.  That cache is storing nothing but the MAC address as a known authenticated device for a period of time.

    Carson Hulcher, ACEX#110

  • 6.  RE: Backup machine auth cache?

    Posted May 23, 2024 10:46 AM

    I fully agree that the [Machine Authenticated] role isn't a good idea. The reason is the way this role is assigned and work in ClearPass anv how Windows clients authenticates.

    The [Machine Authenticated] role is only assigned when a Windows computer authenticate to the network and no user is logged on. For example just after a boot before user login.

    Another situation this will not work is a computer where the user do not log out every day. 

    In many cases the machine never perform the computer authentication on the network, for example if the user have the laptop in sleep and connects the computer. In this case the user is still logged in, and only a user authentication will take place.

    If the enforcement require [Machine Authenticated] this condition will fail.

    A better solution is to implement EAP-TEAP and with this perform both computer and user authentication at the same time. Herman Robers have some good demo videos on Youtube related to this:

    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution