Security

 View Only
last person joined: 3 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

new wired 802.1x user

This thread has been viewed 73 times
  • 1.  new wired 802.1x user

    Posted Jul 14, 2023 07:46 PM

    Hello  i got a question 

    We have a client that does this:

    The support team join the machine on the AD domain  and set the machine.  

    They create a user and a random password for the user and then they turn off the machine of their account.

    They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

    Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

    But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

    I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

    And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

    I don tknow how to go around this.

    Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

    Any ideas of how you all guys do this ? 



  • 2.  RE: new wired 802.1x user

    EMPLOYEE
    Posted Jul 17, 2023 07:23 AM

    With EAP-TLS or EAP-PEAP, the most used method is to switch to computer-only authentication.

    If you need user authentication, then TEAP may be a good method to use. It combines computer and user authentication in the same 'authentication transaction' and would allow scenarios where the user or computer authentication can even fail, and the computer can still be connected and placed in the correct VLAN/role to reflect that authentication status. Here is a video that explains TEAP based on EAP-TLS.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: new wired 802.1x user

    Posted Jul 18, 2023 02:33 PM

    Hello 

    Thanks for your answer guys

    Ahollifield that could be a solution yes but i need that the machine authenticates but not only that, they need to be send an specific vlan

    Herman, thanks for your answer, i was about to do what you said, but the client has windows 7, as i could see on your video we need windows 10 for TEAP to work 

    So it seems that the only option i have is the machine authentication

    right now i have on the enforment something simple for testing

    If the user belongs to ADgroup X then give VLAN 5

    If the user belongs to ADgroup Z then give VLAN 10

    Tips roles equals machines authenticated then give the vlan 2

    The first that applys is used 

    It SEEMS to work.  It authenticated with machine then it authenticated with the user 

    On the windows 10 i have user or machine option selected.

    Im not sure if i should be using 

    If the user belongs to ADgroup X AND machine authenticate then give VLAN 5

    If the user belongs to ADgroup Z AND machine authenticate then give VLAN 10

    Not  sure if that will work (ill try that today)

    Herman if you think any of those will give trouble please let me know , and what could be the best way to do it

    I cannot only machine authenticate because as i said the user needs to go to an specific vlan after authenticating




  • 4.  RE: new wired 802.1x user

    Posted Jul 18, 2023 07:11 PM

    Windows 7?  I think the client has MUCH bigger security concerns than VLAN based segmentation...




  • 5.  RE: new wired 802.1x user

    EMPLOYEE
    Posted Jul 19, 2023 03:49 AM

    That should work fine, it's just that the discussion started with the point that user authentication was not possible (chicken-egg problem) for users that had not authenticated before on the client, or don't have a user certificate.

    You may also try to use a 'authentication failed vlan' or 'authentication failed role', which does allow access to the AD infrastructure and other required services that you trust access to for unauthenticated clients. Through that access the client can change password, get the user certificate enrolled, or perform other prerequisites. It's not ideal, but that is why (at least before TEAP was introduced) many customers fallback to computer only authentication. But if that is not acceptable, this strategy may work.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: new wired 802.1x user

    Posted Jul 17, 2023 07:25 AM

    Switch to EAP-TLS with machine certificates (machine authentication).  Enroll the machine certificate onto the PC when the device the built at the port with 802.1X disabled.