Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TEAP/Machine Authneticate

This thread has been viewed 28 times
  • 1.  TEAP/Machine Authneticate

    EMPLOYEE
    Posted Jan 24, 2024 07:57 AM
    Hi Herman,
    In your Clearpass series "Aruba ClearPass Workshop (2021) - Wireless Access #7 TEAP Authentication (EAP Chaining)"
    To utilize the Authentication:TEAP-Method-1-Username for identify its is machine authenticated by matching at the host/ of method 1 username to set role as ws_machine.. But what I get in customer environment , the host/ is not there is shown as below and ws_machine role is not match and therefore the enforment policy  reject user access.
    The issue it compute attribute showing  : Authentication:TEAP-Method-1-Username DESKTOP-942AUBH$
    not  what we want/expect to have Authentication:TEAP-Method-1-Username host/DESKTOP-942AUBH$
    Its AD need to change some setting or Clearpass end needs?
    Authentication:ErrorCode 0
    Authentication:Full-Username fxxxx@dxxxx.local
    Authentication:InnerMethod EAP-TLS
    Authentication:MacAuth NotApplicable
    Authentication:NetBIOS-Name Dxxxxx
    Authentication:OuterMethod TEAP
    Authentication:Posture Unknown
    Authentication:Source Dxxxx_AD
    Authentication:Status User, Machine
    Authentication:TEAP-Method-1 EAP-TLS
    Authentication:TEAP-Method-1-Status Success
    Authentication:TEAP-Method-1-Username DESKTOP-942AUBH$
    Authentication:TEAP-Method-2 EAP-TLS
    Authentication:TEAP-Method-2-Status Success
    Authentication:TEAP-Method-2-Username fxxxx@dxxxx.local


  • 2.  RE: TEAP/Machine Authneticate

    EMPLOYEE
    Posted Jan 28, 2024 10:00 PM

    Hi,

    I would like to re-pharse my question.

    Why I getting AD replied without host/ in method-1 username ?

    Authentication:TEAP-Method-1-Username: DESKTOP-942AUBH$

    Thanks.




  • 3.  RE: TEAP/Machine Authneticate

    EMPLOYEE
    Posted Feb 12, 2024 05:51 AM

    The username is determined/sent by the client, and is typically based on the certificate for EAP-TLS. You may have a look at the certificate to better understand where this name is coming from as what I have seen, with AD enrolled certificates, I see the fqdn and not the Netbios/SAMAcccountname (HOSTNAME$). It can be that a modified or just different enrollment template is used for this computer certificate. You may be able to match 'ENDS_WITH $' for the username, which I didn't test but is worth trying.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------