Security

 View Only
Expand all | Collapse all

[How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

This thread has been viewed 68 times
  • 1.  [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Feb 16, 2015 03:02 PM

                          MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS

     

     

    I have created this tutorial, but let me tell you one thing that, this is not the first tutorial on this topic. You can find another great tutorial on the same in this forum, which also helps me a lot.

     

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471

     

    Sometimes we need more than just user authentication, in this document I will share the configuration steps needed to enforce machine and user authentication and also put per user based role.
    SCENARIO:
    1. If a user complete USER+MACHINE both authentication, then the user will get 'authenticated' role along with VLAN1
    2. If a user complete only any of the above authentication [USER or MACHINE], the user will get 'guest' role along with VLAN2.

    INTRODUCTION:
    The following was completed using Clearpass 6.4.1, a windows 2012, a 3600 running 6.4.2.4 and AP-93.
    Clearpass is joined to domain and able to access the server.
    You can find another good guide on the same in
    How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass
    CONFIGURATION:
    A. At first we will create one custom endpoint attribute, it will validate our valid device.
    Go to Administration » Dictionaries » Attributes and in right left corner click on add to add a custom attribute. The attribute should be endpoint attribute and boolean.

    Image 1.jpg

     

    B. Now we will configure enforcement profile. For this scenario we need three enforcement profile.
    Open Configuration » Enforcement » Profiles. Follow this screenshot.
    First enforcement profile is a post authentication profile to enforce the attribute, for this we will select Clearpass entity update enforcement template.

     

    Image 3.jpg

    Now 2nd one for authenticated users. In here we will give the user ‘authenticated’ role and after that assigned them to VLAN1.

    Image 4.jpg

    3rd profile for the user, who completed only one authentication. Here we will give the user ‘guest’ role along with VLAN2

    Image 5.jpg

    C. After configuring enforcement profile we have to configure enforcement policy which will bundle all the three enforcement profile.
    Open Configuration » Enforcement » Policies

    Image 6.jpg

     

    D. Now we have configure one role mapping policy to tag information in the request so later we can use it in enforcement profile. Also create one role to map this.
    Go to Configuration » Identity » Role Mapping

     

    Image 7.jpg

     

    Image 8.jpg
    E. Now the most important things, we have to configure one service.
    Check the summary tab of the service. Remember to enable authorization source in service tab.

     

    Image 9.jpg

     

    Open authentication tab and select AD as a authentication source, EAP-PEAP and EAP-MSCHAPV2 as authentication method [this two is enough to handle the AAA process but if you want or if you have legacy device you always can configure other authentication method].

     

    Image 10.jpg

    Image 11.jpg

    Image 12.jpg

    Image 13.jpg

    In controller side nothing to do, just make sure that you have the VLAN and Role configured in controller, because what are you defining[VLAN & Role] here will take effect from the controller.
    We need to configure our wireless ssid profile to make the both authentication work. Below are the configuration steps.
    Go to Control Panel\Network and Internet\Manage Wireless Networks click add and add your desired network and go to the setting.

    wireless config.jpg

                                                       that's all. Now its time to check output

    op1.jpg

    In above user has completed both authentication so it’s got authenticated role along with VLAN1.

    op2.jpg

     

    op3.jpg

    In above users has completed only one authentication so it’s got guest role along with VLAN2.

     

    Hope you guys enjoyed.Let me know if there are any questions or follow-ups - I would love to hear them!

                                                                                 Thank you.

     


    #3600


  • 2.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Feb 16, 2015 03:17 PM
    Nice job. Just a comment. You should NEVER uncheck validate server
    certificate except for testing. If you are not validating the server
    certificate, you are better off not using any security.


  • 3.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Feb 16, 2015 03:35 PM

     


    @cappalli wrote:
    Nice job. Just a comment. You should NEVER uncheck validate server
    certificate except for testing. If you are not validating the server
    certificate, you are better off not using any security.

     

    Thanks Tim for correction,

    I configured this in my lab and after I forgot to mention that.

    Also sorry for the mistake.



  • 4.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Nov 07, 2019 07:44 AM

    I'm new to Aruba and I would like to ask a question about machine + user authentication.

    As I understand, the concept is to set endpoint attribute value to "true" after machine is successfully authenticated. Than user that is using the same endpoint (endpoint recorded during machine authentication) matches appropriate enforcement policy if endpoint attribute's value is still "true".

    For how long this endpoint attribute value will stay as "true"? 

    If I successfully log in to the computer and restart computer and I'm trying to log in angain - is the endpoint attribute value set to "true" already or it has to  be set to "true" again?



  • 5.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Nov 07, 2019 08:04 AM

    Machine Authentication Cache Timeout  option (24 hours by default):  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_serviceparamspolicyserver.htm?Highlight=machine%20authentication%20cache

     

    Closing this thread because it is old.  Please use a new thread for further questions.

     



  • 6.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Nov 05, 2024 06:15 AM

    I know this is an old thread, but I have the same question regarding the custom endpoint attribute.  If a machine authentication is true and the custom endpoint attribute is set to true, does this value always stay true? If so, what happens if the computer is removed from the domain and tries to machine authenticate? 

    Thank you!




  • 7.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Nov 05, 2024 06:19 AM

    Endpoint attributes stay there till they are changed or the endpoint is removed. You should probably not use this old methodology to determine if a device is joined to the domain, as since 2015/2019 many things changed, including the introduction of TEAP which allows machine and user authentication in the same transaction. That removes the need to cache the machine authentication between different authentication transactions.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Feb 16, 2015 10:40 PM

    Great,

    I'll try this.Please upload the pdf also.



  • 9.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Feb 17, 2015 12:05 AM

    @Rana wrote:

    Great,

    I'll try this.Please upload the pdf also.


    PDF added



  • 10.  RE: [How-to]MACHINE AND USER AUTHENTICATION IN WINDOWS WITH CLEARPASS-Feb15-MHC

    Posted Mar 04, 2021 10:49 AM
    Edited by GLM-TD Mar 04, 2021 10:49 AM
    Great job and great guide SumaN.
    You won a cold one!
    Thanks mate.
    Best regards.
    Gonzalo.

    ------------------------------
    Gonzalo Lopez
    ------------------------------