Security

 View Only
Expand all | Collapse all

enforce machine authentication question

This thread has been viewed 4 times
  • 1.  enforce machine authentication question

    Posted Jun 08, 2012 07:20 PM

    Okay i got the fallowing scenario in a lab im doing:

     

    I got a Radius athentication server my AD and my Wireless controller

     

    Okay on my Radius authentication server i got this conditions on the network policies

     

    1 Network policy = if it belongs to engeering group  you are granted network access and then i also send a filter id with the name of the role

    2 Network policy = if it belongs to sales group  you are granted network access and then i also send a filter id with the name of the role

     

    Okay that works awsome!

     

    Now let say i would like to do also enforce machine authentication on the first network policy  so let say i would like to do this:

     

    If the users belongs to the users engineering group AND the machine belongs the the machines Engeering group you grant access to the network and then also send  a filter id with the name of the role.

     

    Is that possible? to do both authentication? user and also ,machine authentication?(i know i have to checkbox the enforce machine authentication on the wirleess controller)  well is that possible?

    i mean i read that groups are considered as an OR statatment which makes me think that he will look first for the engeering user group and he willl not look for the machine engineering group?

     

     

    Well i first tried to confgured it with no success.... im getting the enforce mahine authentication default group... is not sending the filter id....

     

    But then i start reading and read about the OR statement which makes me think that maybe what i was trying to achive is not possible....

     

    can anyone enlight me in these?

     

    Thank you in advance

     



  • 2.  RE: enforce machine authentication question

    Posted Jun 08, 2012 07:52 PM

    You can only use role derivation after a devices has passed both user and machine authentication when you have Enforce Machine Authentication enabled.

     

     

    Clear Pass policy manager (CPPM) provides the ability to be much more flexible with these types of rules.



  • 3.  RE: enforce machine authentication question

    Posted Jun 08, 2012 07:55 PM

    Yeah its okay that way

    But there must be something im doing wrong because hte machine authentication is not working...

     

    The user athentication works alone...

    But when i add the enforce machine authentication on the aruba controller and i add the group on the network policy which has my machine it doestn work...

    Is there something i got incorrectly configured?



  • 4.  RE: enforce machine authentication question

    Posted Jun 08, 2012 07:57 PM

    Has your device already machine authenticated  (host/machine name) ?  It would only do this at the ctrl-alt-delete screen or if you have your supplicant only programmed to authenticate with computer credentials.

     



  • 5.  RE: enforce machine authentication question

    Posted Jun 08, 2012 08:02 PM

    i just tried disconnecting it and connecting it... i didnt tried to log off and log on...

     

    I used to have on my wireless connection propierties on the 802.1x option i used to have just the user authentication i changed it to authenticate with computer or user (there i sno option to select in which it has to authenticate with user AND the computer)

     

    so i guess i just needed to log off or restart my computer so it can authenticate the machine right? i was just trying disconnecting from the network and connecting it



  • 6.  RE: enforce machine authentication question

    Posted Jun 08, 2012 08:05 PM

    @NightShade1 wrote:

    i just tried disconnecting it and connecting it... i didnt tried to log off and log on...

     

    I used to have on my wireless connection propierties on the 802.1x option i used to have just the user authentication i changed it to authenticate with computer or user (there i sno option to select in which it has to authenticate with user AND the computer)

     

    so i guess i just needed to log off or restart my computer so it can authenticate the machine right? i was just trying disconnecting from the network and connecting it


    With user and computer means authenticate as computer at the ctrl-alt-delete and as the user when someone is logged in.  You need to log off, wait about a minute and look on the user table on the controller to see if the username changes to host/computername.  When that happens, the controller has recorded the device as machine authenticated (802.1x-machine).  If you login successfully, it will market as just 802.1x which means computer AND user authenticated.  At that time, it will then be able to run derivation rules when that user logs in.

     

     



  • 7.  RE: enforce machine authentication question

    Posted Jun 08, 2012 08:08 PM

    Thank you very much for the explanation Collin

     

    Ill test tomorrow as i got the lab on the office

     

    Thanks again!



  • 8.  RE: enforce machine authentication question

    Posted Jun 09, 2012 05:40 AM

    Hello

     

    I've been trying to do this machine+user authentication with an NPS radius and couldn't find the way to do it. Which kind of RADIUS are you using? Or, if using NPS, could you please give me a hint?

     

    Thanks

     

     



  • 9.  RE: enforce machine authentication question

    Posted Jun 09, 2012 09:38 AM

    @samuel.perez wrote:

    Hello

     

    I've been trying to do this machine+user authentication with an NPS radius and couldn't find the way to do it. Which kind of RADIUS are you using? Or, if using NPS, could you please give me a hint?

     

    Thanks

     

     


    Samuel.Perez,

     

    If you only want to ensure that a device has passed BOTH machine and user authentication, using Enforce Machine Authentication in the controller will work with any radius server.  Turning it on gives a devices different roles if (1) Only Machine Authentication is Passed (2) Only User Authentication is Passed (3) Machine AND User Authentication is passed.  The main drawback with Enforce Machine Authentication is that you can only do role derivation beyond that if Both Machine and User Authentication is passed.

     

    For example:  If you want users to authenticate with a smartphone, but give them a different role base on a group in active directory with Enforce Machine Authentication on, you cannot, because you are limited to Scenario 2, which does not allow you to derive a role beyond the Machine Authentication User Role.  If you also wanted to give a user a different role based on the Operating System, you could not combine different things like if the device is machine authenticated in the logic for your rule.

     

    If you use Clear Pass Policy Manager (CPPM) as your radius server, it caches machine authentication state, AND does Operating System Profiling so that you can send back roles based on a much more comprehensive set of logic.  You can even point to a SQL server with your company-owned devices and use that data as logic during authentication to determine if to give a device a different role.  You would turn off Enforce Machine Authentication and allow CPPM to do all of your checking for you, because it is more flexible and comprehensive.

     



  • 10.  RE: enforce machine authentication question

    Posted Jun 09, 2012 10:29 AM

    Hello

    Does anyone know how to make the computer connect to the wireless connection on the alt crtl del?

    i mean it connect to network but after the profile is loaded....

    If this happen then is not athenticating via the enforce machine atuthentication...  i think this is the issue im having..



  • 11.  RE: enforce machine authentication question

    Posted Jun 09, 2012 10:31 AM

    On your radius server, you at least need to have a rule that allows users from the Active Directory group "Domain Computers" to authenticate successfully.  Check the logs on your radius server to see if logins are being rejected.

     



  • 12.  RE: enforce machine authentication question

    Posted Jun 09, 2012 10:56 AM

    I know that collin but instead of having ALL the domian computers i got a group a computer group  which got my testing computer in that group

    Isnt that enough?

     

    On the NAP network policy i got on the conditions i got this

    A group that contains all the users allowed to the wireless connection

    A group that contains the computers allowed to the network

     

    well that instead of having all the domain user groups or all computer groups

     

    Isnt that okay?



  • 13.  RE: enforce machine authentication question
    Best Answer

    Posted Jun 09, 2012 12:26 PM

    The remote access policy requires that the authenticating user pass ALL of the rules before matching.  You only want "Domain Computers" or "Domain Users" in a single rule.

     



  • 14.  RE: enforce machine authentication question

    Posted Jun 09, 2012 12:42 PM

    Thanks man!

    Thats what  was the part i was doing wrong!!

    Thanks again! now i can add this to my NPS deployments for the clients here :)

    I saw on the logs that it first authenticate the machine and THEN it authenticate the user... and give the role with the filter id...:)

     



  • 15.  RE: enforce machine authentication question

    Posted Jun 09, 2012 01:43 PM

    Just a question collin

    I was doing some last test and i removed my PC from the cp group i got with my network policy on my nps server

    I though it woundt connect and wouldnt connect with the derived role like you said(as you said that it need to authenticate BOTH if i wanted the derived role to work...

     

    I removed my computer from the group and i still got access and it still sending the engineering filter id value... like if it were dong nothing...

    i see on the logs ont he nps that its not granting access trhough that policy as it says access denied but then in the second network policy which is a user network policy  i mean i got my user there and it grant the network access but i mean im doing machine enformcement... that should not work that way or im wrong?

    i am missing something?



  • 16.  RE: enforce machine authentication question

    Posted Jun 09, 2012 02:18 PM
    By default, if you have enforce machine authentication enabled in the 802.1x profile, it will cache the Mac addresses of the devices that have passed for 24 hours. To remove that, you can delete the machines entry in the local database on the controller.


  • 17.  RE: enforce machine authentication question

    Posted Jun 09, 2012 02:54 PM

    Do i have to delete something else?

    its keep authenticating and giving me the derived role

    I got 2 network policies

    1-Got the machine group

    2-Got the user group

     

    My machine is not anymore on the machine group which is my first network policy

     

    i deleted the entry on the internal database already.

     

    On the machine i do log off

    i see on the wireless controller after logging off this:

    host/CHP.domain.local  on monitoring client  on therole i got logon role.

     

    Which is okay

     

    Now i log in  again and now i see this on the wirless controller

    DOMAIN\cdelarosa  on role i got the derived role

     

    On the logs on the server i got this:

    1- i see the NPS denying access  to the first network policy which has the pc group 

    2-Then isee NPS granting access to the second network policy which is hte second network policy in which i got my user group and the filter-id

     

    IS there anything im missing Collin?

     

     

     



  • 18.  RE: enforce machine authentication question

    Posted Jun 09, 2012 02:57 PM

    Disable wireless card

    Delete Entry in local database

    Disconnect the computer from the user table.

     

    Enable wireless card and try again.

     

     



  • 19.  RE: enforce machine authentication question

    Posted Jun 09, 2012 03:38 PM

    Well collin before looking at your post i send the wireless controller to reboot...

    As i though it was something in the wireless controller and not on the client or in the nps...

     

    Anyways now im not getting the derivated role.. so i guess its working...

    im getting the Machine Authentication: Default user Role

    I guess thats what it should happen....

     

    Now let me understand this and just confirm me if im correct and iwll stop bothering you with this :)

     

    1-As the initial role on the profile is set to logon thats the initial role

    2-If the machine is NOT authenticated it will get the Machine Authentication: Default User Role right? Well if i connect with my user that has access which belongs to the second network policy.  if thats true i could put this role maybe on deny all role so it wont have access anywhere i mean if the machine is not authenticated then you will get a deny all role even if you got your user that got access!! so this way you NEED to have your machine on the group otherwise you wont connect.

     

     

    3-If you are successful authenticating the machine it will then authenticate also with the user and will change the deny all to role im sending witht the derived role?

     

     

    Im now testing remotely with my laptop on the office im connecting through the cable...

    And this what happened

     

    I added again my computer to the ones that got permission

    i log off

    log on then i saw it had a deny all as he authenticated with the machine correctly then i had to disconnect and reconnect againso it could get the derived role im sending with the user....

    I would like to do it automatically but i don tknow if its affecting the fact im accesing it remotely somehow....

     

    I dont know if its a better aproch for this what i would like to have is that if your machine is not in the group, even if your user is on the group you wont be able to connect...  or at least not having access anywhere...  Im on the correct track with what im doing or there is another way to do it properly?



  • 20.  RE: enforce machine authentication question

    Posted Jun 09, 2012 03:47 PM

    1.  The Initial Role does not apply in 802.1x.  If Enforce Machine Authentication was NOT on, the computer would get the default 802.1x role.

    2.  If the Machine has NOT machine-authenticated (ctrl-alt-delete) in the past 24 hours, a user who logs into that device will get the machine authentication-Default user role.  If a machine HAS machine-authenticated, an entry is created in the local user database with a 24 hour expiry.  Whenever a user authentication takes place on a device, the controller checks the local database to see if the mac address of a device that has machine authenticated matches that device; if it does, it will change the authentication to just 802.1x (machine AND user) and the controller will be able to run derivation rules, since it has passed both forms of authentication.

     

    3.  Yes, if machine and user has authenticated, it will allow you to make decisions based on a attribute that is sent.

     

    When you log off, make sure that the username on the controller changes to host/<machine> so that you know that machine authentication has taken place.

     



  • 21.  RE: enforce machine authentication question

    Posted Jun 09, 2012 03:59 PM

    There is no way to always when a user log on he get machine authenticated for the wireless controller?

    i mean if i already did machine authentication on the wireless controller on the morning and the the admin remove me like at 10 am

    Iill be able to log on again because my mac address is still on the local database even if the nps tells my wireless controller that he has no access? that decition should not always come from the NPS? rather than a cache on the wireless controller? i mean if i remove that person i have to delete him from the wireless controller database... shouldnt be like the user authentication? in which it totally depends onthe nps for this decition?rather than yes depending in the first try  and then caching it and letting have access to the network, imean i can but i have to manually do it...

    I ask you this because im SURE this client will ask me why it works like that...



  • 22.  RE: enforce machine authentication question

    Posted Jun 09, 2012 04:03 PM

    @NightShade1 wrote:

    There is no way to always when a user log on he get machine authenticated for the wireless controller?

    i mean if i already did machine authentication on the wireless controller on the morning and the the admin remove me like at 10 am

    Iill be able to log on again because my mac address is still on the local database even if the nps tells my wireless controller that he has no access? that decition should not always come from the NPS? rather than a cache on the wireless controller? i mean if i remove that person i have to delete him from the wireless controller database... shouldnt be like the user authentication? in which it totally depends onthe nps for this decition?rather than yes depending in the first try  and then caching it and letting have access to the network, imean i can but i have to manually do it...

    I ask you this because im SURE this client will ask me why it works like that...


    If a user does not pass authentication, there is no connection, period, regardless if your machine authenticated successfully.

     

    Disable that user you are trying to login with and see what happens.

     

    Enforce Machine authentiction exists to keep track of devices that have already machine authenticated and give them a different role if they pass user authentication on top of that.  The device STILL has to successfully pass user authentication for it to get a connection.

     

     



  • 23.  RE: enforce machine authentication question

    Posted Jun 09, 2012 04:12 PM

    Okay thanks Collin

    ill keep doing more testing and labs

     

    Cheers