Security

 View Only
  • 1.  Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 12:57 AM

    Hi community,

    I have created a service for MAC authentication. I am testing right now and have a phone and a PC, I have both in a static host list. When they pass authentication, my phone got role [User Authenticated], and my PC got roles [User Authenticated] and [Machine Authenticated]. Is this normal behaviour? I thought the Machine Authenticated role is only for domain PCs. Any idea?



    ------------------------------
    Regards,
    Julian
    ------------------------------


  • 2.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 02:05 AM

    Have you read this article Clearpass 6.7 Deployment Guide

    There is a section named Role Assignment with Machine Authentication Enabled where you can see more information.

    Hope this helps



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------



  • 3.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 02:23 AM

    Hi Shpat,

    The article talks when you uses 802.1x authentication, which is not my case. I am using MAC authentication, and the PC is not configured for 802.1x.



    ------------------------------
    Regards,
    Julian
    ------------------------------



  • 4.  RE: Machine Authenticated role for MAC authentication service?
    Best Answer

    Posted Oct 06, 2023 06:04 AM

    A device is marked "machine authenticated" whenever the mac address has passed machine authentication in the past.  There is a timeout value that would purge that state, but unfortunately, the machine authenticated role is renewed every time the device user authenticates, if the machine authentication role has not expired for that mac address.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 06:14 AM

    Hi Colin,

    This device was before a domain PC and passed machine authentication in the past. After that, we took out from the domain the PC. That could answer the question, but the Machine Authentication Cache Timeout is set to 24 hours, and we took the PC out of the domain a week ago. Do you mean the machine authentication role is renewed when the device user authenticates regardless of the Machine Authentication Cache Timeout setting? By the way, no user authentication happens, now is only MAC authentication service.



    ------------------------------
    Regards,
    Julian
    ------------------------------



  • 6.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 06:19 AM

    Do you mean the machine authentication role is renewed when the device user authenticates regardless of the Machine Authentication Cache Timeout setting? - Yes.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 7.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 06:23 AM

    Hi Colin,

    What a pitty, that's confusing. And when you say "device user authenticates", in my case the device user authentication refers to device MAC authentication, right?



    ------------------------------
    Regards,
    Julian
    ------------------------------



  • 8.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 06:27 AM

    If your timeout is 24 hours, I would do nothing with that device for 24 hours and see what happens.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 9.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 06, 2023 07:05 AM

    Honestly, you can just not have any rules that act upon Machine Authentication role in a service that does mac authentication.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 10.  RE: Machine Authenticated role for MAC authentication service?

    Posted Oct 09, 2023 03:50 AM

    Hi Colin,

    Right, I authenticated again with the PC after doing nothing for 24 hours, and the Machine Authenticated role was not given, only User Authenticated. As you said, "the machine authenticated role is renewed every time the device user authenticates, if the machine authentication role has not expired for that mac address."



    ------------------------------
    Regards,
    Julian
    ------------------------------