Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Machine authentication is not working at 802.1x wireless on login screen

This thread has been viewed 29 times
  • 1.  Machine authentication is not working at 802.1x wireless on login screen

    Posted Nov 10, 2023 08:21 AM

    We have two level authentication. 

    1. Machine Authentication (before user login, all devices have to connect network with limit access)
    2. User Authentication ( After user login, users will access to resources with their role)

    At wired authentication, machine and user authentication is working fine.

    -When we choose only "computer authentication", machine authentication is working. But, as customer's requirement,  they need "user authentication" after users login.

    -At wireless authentication, machine authentication is not working on login screen before user login when we choose authentication mode as " computer or user authentication" on the computer. Computers always send wrong format domain\hostname$ on login screen. On login screen, computer must send host\fqdn. 

    -On Wired Authentication, it's working with same profile and same computer. But, on wireless, it's not working.

    Any suggestion for this problem? Thanks.



  • 2.  RE: Machine authentication is not working at 802.1x wireless on login screen

    MVP
    Posted Nov 13, 2023 07:37 AM

    ClearPass is an AAA (Authentication, Authorization, Accounting) server.

    Authentication - verify this is indeed the user they claim to be

    Authorization: What can they access on the Network?

    Accounting: Summary of what they actually did.

    For the rest of this discussion I will assume you are referring to Microsoft Windows clients. The OS permits "User OR Machine authentication", not "User AND Machine Authentication". Some network vendors try caching Machine authentication to provide User and Machine authentication. since you do not state what vendor's wireless solution you use, I have no further suggestions.

    Otherwise, there is no such thing as two-level authentication.

    How are you performing Machine Authentication? Are the Windows clients joined to an on-Prem AD domain or Entra ID (formerly Azure AD) joined?

    I will need more detail to help further.

    For more information on AAA : https://en.wikipedia.org/wiki/AAA_(computer_security)



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 3.  RE: Machine authentication is not working at 802.1x wireless on login screen

    Posted Nov 13, 2023 08:30 PM

    Hi @bosborne, thanks for your reply.

    I also found the same issue on this community. My problem is same with the below link.

    https://community.arubanetworks.com/discussion/windows-using-domainmachinename-during-computer-authentication




  • 4.  RE: Machine authentication is not working at 802.1x wireless on login screen

    Posted Nov 17, 2023 02:48 AM

    does someone has solution for this?




  • 5.  RE: Machine authentication is not working at 802.1x wireless on login screen

    EMPLOYEE
    Posted Nov 23, 2023 08:59 AM

    This should just work, you could follow the ClearPass Workshop Series, as it configures exactly this.

    From your output, it suggests that you configured EAP-PEAP, which you should stay away from as it is broken and insecure, and move to EAP-TLS or TEAP with EAP-TLS instead. The older videos in the playlist above do show PEAP and User or Computer...

    If you see the username (or computer's username) in a wrong format, it's probably a matter of changing the LDAP query to query based on the correct field; this video explains how to change the LDAP query.

    Also, this is probably trivial to solve if you know how the LDAP queries work and if you understand the LDAP structure and username formats. Aruba TAC should be able to assist in this as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Machine authentication is not working at 802.1x wireless on login screen

    Posted Nov 26, 2023 03:07 PM

    Hi Jame

    Did you you read that thread you linked us? I was the OP, but never really followed up on what caused it. The last entry there says that this was caused by caching user login set in the GPO so you should definately give that solution a try by removing it (Cache user information for subsequent connections).. I can't remember if that solved it for us as I had to move on to different projects.



    ------------------------------
    John-Egil Solberg |
    ACMX | ACCX
    ------------------------------