Security

 View Only
  • 1.  Enforcing Machine Auth

    Posted Feb 16, 2014 12:49 PM

    Hi all,

     

     

    I am trying to get machine auth to work in the lab with cppm 6.3 and a 620 controller running 6.3.1.1

     

    I can get it to work initially but if the station is disconnected or if I do a "aaa user delete" it fails (user) authentication on the reconnect.

     

    I suspect it works as the initial auth was machine (on OS boot) and it changed to the users credentials when login on to the workstation. Which is the normal for Windows.

     

    Any ideas on if its possible to get it working without changing the default authentication mode to Computer in the 802.1x settings?

     

    A screen shot of my enforcement policy on the service (probably not the best way to do this), the “Certificate:Issuer-DN  CONTAINS  ClearPass” is to allow EAP-TLS

     mach_enforce.JPG

     

    thanks

     

    Andy



  • 2.  RE: Enforcing Machine Auth

    Posted Feb 16, 2014 01:16 PM

    What kind of encryption are you using?

    What EAP Type are you using?

    Exactly what are you trying to do?

     



  • 3.  RE: Enforcing Machine Auth

    Posted Feb 16, 2014 01:23 PM

    Hi 

     

    P-EAP with MsChap and EAP-TLS (WPA2/AES)

     

    Basically want to enforce machine auth to keep non Active Directory workstations and non byod devices off the "main" SSID.

     

     

    service.JPG



  • 4.  RE: Enforcing Machine Auth

    Posted Feb 16, 2014 01:25 PM


  • 5.  RE: Enforcing Machine Auth

    Posted Feb 16, 2014 01:32 PM

    I saw that which is what i based my enforcement policy on and i could log on with an android using P-EAP.

     

    but I just tried and again and I can not log on with the android using P-EAP :smileyembarrassed:

     

     

     



  • 6.  RE: Enforcing Machine Auth

    Posted Feb 16, 2014 01:36 PM

    If tips role does not equal [machine authenticated] then denyall enforcement profile.  It is that simple, if you want to deny non-machine authenticated devices.

     

    Machine authentication only occurs when you log out of a machine and when it boots up at the ctrl-alt-delete screen.  This is when you have user or computer on the Advanced IEEE settings on a machine.  It is cached, so that status will be stored in CPPM, even if user authentication occurs later.



  • 7.  RE: Enforcing Machine Auth

    Posted Feb 16, 2014 01:40 PM

    thanks, I must have done something wrong the first time round as it is working as expected with the policy setup as follows;

     

     

    enforce.JPG