Security

 View Only
Expand all | Collapse all

Machine based VPN setup

This thread has been viewed 2 times
  • 1.  Machine based VPN setup

    Posted Jun 24, 2020 05:23 PM

    Hi,

     

    I currently have some controllers doing a VIA client based VPN solution. 

    If I wanted that VPN to kick in pre user login (before they type in their login details and load windows fully), could the Aruba VPN solution support this? Guessing it would essentially need to integrate with the native windows 10 client?



  • 2.  RE: Machine based VPN setup

    Posted Jun 25, 2020 01:58 PM

    VIA supports authentication using certificates from windows machine store.



  • 3.  RE: Machine based VPN setup

    Posted Jun 25, 2020 02:35 PM

    Thanks, but is there a way to have the VIA software load and run before a user logins to the machine. So it runs at a pre-login system level?



  • 4.  RE: Machine based VPN setup



  • 5.  RE: Machine based VPN setup

    Posted Jun 25, 2020 03:19 PM

    That is really interesting; I think I’ve misunderstood that feature previously. 

    I have it enabled for my users but I don’t see this behaviour. When I boot my laptop, the VIA client loads after login, detects the network to check if it’s in the office, then launches the VPN. 

    The only difference I can see is the user certificate I have is in the personal store, not the machine store. 

    Do you think that’s why mine isn’t launching pre login? 



  • 6.  RE: Machine based VPN setup

    Posted Jun 25, 2020 03:21 PM
    Yes, a machine identity needs to be in the machine/computer store.


  • 7.  RE: Machine based VPN setup

    Posted Jun 25, 2020 04:31 PM

    Once you have the cert in the machine store, how do you tell the profile to look for this cert and use if for the VPN?

     

    at the moment, when we select the machine cert it presents it to Clearpass as a user and not a host/machine name etc

     

    also, the via client does a check to see if it’s on the corporate network, does this still happen?



  • 8.  RE: Machine based VPN setup

    Posted Jun 28, 2020 04:33 AM

    Ok I’m nearly there with this one; it looks like the chap in this thread got to the same place as me: 

    https://community.arubanetworks.com/t5/Security/Machine-auth-using-VIA-and-CPPM-drops-the-host-prefix-when/td-p/313741

     

    So, when at the windows login screen I can see the request come into Clearpass (Yay), however it does not present the certificate as a machine one, so the request comes in as “laptopName”, whereas it should come in as “host/laptopName”. 

    if I can just get VIA to present this with host/ in front I’ll be in

     

    any ideas?



  • 9.  RE: Machine based VPN setup

    Posted Jun 28, 2020 11:05 AM
    Host/ is just an arbitrary value added to the username. It's not required.


  • 10.  RE: Machine based VPN setup

    Posted Jun 28, 2020 11:12 AM

    If that is the case, why is Clearpass rejecting the request saying no such user found?

     

    I have a WiFi setup in the office which uses the windows wireless profile and this presents the request to Clearpass as host/laptop

     

    In this instance Clearpass sends the request to our AD and it finds the laptop and authorises the request. 

    on this domain pre connect, the request shows just the host name and this is sent to AD ... then it rejects it because it’s checking it as a user and not a host. 

    I think i must be doing something fundamentally wrong. I can see the request coming in, our AD just doesn’t know it’s a host computer and not a user. 



  • 11.  RE: Machine based VPN setup

    Posted Jun 28, 2020 11:20 AM

    The user checking occurs utilizing the LDAP connection you have defined in your AD authentication source.  If the base-dn parameter under the primary tab in the authentication source is restricted so that it cannot browse for a container where the computer accounts are, that could be your problem.



  • 12.  RE: Machine based VPN setup

    Posted Jun 28, 2020 11:32 AM

    My businesses WiFi setup only uses machine level certificates. Could the fact they authenticate this way rule out that point?

     

    The only difference in the WiFi service is the radius packet has host/ before the machine name.