We have two level authentication.
At wired authentication, machine and user authentication is working fine.
-When we choose only "computer authentication", machine authentication is working. But, as customer's requirement, they need "user authentication" after users login.
-At wireless authentication, machine authentication is not working on login screen before user login when we choose authentication mode as " computer or user authentication" on the computer. Computers always send wrong format domain\hostname$ on login screen. On login screen, computer must send host\fqdn.
-On Wired Authentication, it's working with same profile and same computer. But, on wireless, it's not working.
Any suggestion for this problem? Thanks.
ClearPass is an AAA (Authentication, Authorization, Accounting) server.
Authentication - verify this is indeed the user they claim to be
Authorization: What can they access on the Network?
Accounting: Summary of what they actually did.
For the rest of this discussion I will assume you are referring to Microsoft Windows clients. The OS permits "User OR Machine authentication", not "User AND Machine Authentication". Some network vendors try caching Machine authentication to provide User and Machine authentication. since you do not state what vendor's wireless solution you use, I have no further suggestions.
Otherwise, there is no such thing as two-level authentication.
How are you performing Machine Authentication? Are the Windows clients joined to an on-Prem AD domain or Entra ID (formerly Azure AD) joined?
I will need more detail to help further.
For more information on AAA : https://en.wikipedia.org/wiki/AAA_(computer_security)
Hi @bosborne, thanks for your reply.
I also found the same issue on this community. My problem is same with the below link.
does someone has solution for this?
This should just work, you could follow the ClearPass Workshop Series, as it configures exactly this.
From your output, it suggests that you configured EAP-PEAP, which you should stay away from as it is broken and insecure, and move to EAP-TLS or TEAP with EAP-TLS instead. The older videos in the playlist above do show PEAP and User or Computer...
If you see the username (or computer's username) in a wrong format, it's probably a matter of changing the LDAP query to query based on the correct field; this video explains how to change the LDAP query.
Also, this is probably trivial to solve if you know how the LDAP queries work and if you understand the LDAP structure and username formats. Aruba TAC should be able to assist in this as well.
Did you you read that thread you linked us? I was the OP, but never really followed up on what caused it. The last entry there says that this was caused by caching user login set in the GPO so you should definately give that solution a try by removing it (Cache user information for subsequent connections).. I can't remember if that solved it for us as I had to move on to different projects.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.