I fully agree that the [Machine Authenticated] role isn't a good idea. The reason is the way this role is assigned and work in ClearPass anv how Windows clients authenticates.
The [Machine Authenticated] role is only assigned when a Windows computer authenticate to the network and no user is logged on. For example just after a boot before user login.
Another situation this will not work is a computer where the user do not log out every day.
In many cases the machine never perform the computer authentication on the network, for example if the user have the laptop in sleep and connects the computer. In this case the user is still logged in, and only a user authentication will take place.
If the enforcement require [Machine Authenticated] this condition will fail.
A better solution is to implement EAP-TEAP and with this perform both computer and user authentication at the same time. Herman Robers have some good demo videos on Youtube related to this: https://www.youtube.com/watch?v=nTHQsBgRjb4
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 23, 2024 10:21 AM
From: chulcher
Subject: Backup machine auth cache?
In general, I never recommend using the [Machine Authenticated] role for anything. There are better and more consistent methods for determining computer authentication state. That cache is storing nothing but the MAC address as a known authenticated device for a period of time.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 23, 2024 10:14 AM
From: koen
Subject: Backup machine auth cache?
That means it will NOT be backed up then?
Original Message:
Sent: May 23, 2024 10:05 AM
From: chulcher
Subject: Backup machine auth cache?
The information is stored in the battery (cache) and not permanently kept.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 23, 2024 09:58 AM
From: koen
Subject: Backup machine auth cache?
quick question.
What database contains the machine auth cache and more importantly: is that backed up with a standard backup? (config only? insight?)
Will it survive a backup/restore?