Security

We have Clearpass configured for both Machine and User Authentication on both the wired and wireless. The Authentications are working correctly. If a machine boots up, it does machine auth, get the correct vlan, etc. Once a user logs on, it reauthenticates, and the VLAN remains the same, or gets reassigned based on the user. (IT machines\Users get separate vlans since ACL's restrict access to admin tools and consoles from only specific IT Vlans). This is all working correctly.

However, a while back we discovered that on the Wireless side because of how some devices function, if you went to join the network on a Non domain joined machine, it would prompt for username and password. Upon entering a valid username and password, the device would get joined via user authentication. We didn't want employees (or an attacker with compromised creds) to be able to connect a non-domain machine or device to the Corporate wireless). Supports solution, and this was years ago now so i am not sure what this issue, which ill get to you in a second is just now coming up, but the solution was to add a second condition for Machine Authenticated. 

Here is the problem. User brings their machine in for the day. hooks it to the LAN, works for a while, but then has to go to a meeting. They undock the machine to go to a conference room, and the machine refuses to connect to the wireless. When I look at the Deny request, its because there is only User information attached. Now if they logoff or reboot. the machine comes up and authenticates, then they logon, and they are good to go. And they can swap back and forth, etc. My assumption, is that this is because there is now a machine auth that has been cached, and Clearpass can use that Auth in conjunction with their user auth, and be fine. Until the Cache times out. 

Here is what I am trying to accomplish. 1 and 2 are already in place and working
1. Machine Authentication- Maintain this, so that machines on the wired or wireless will continue to get updates, etc. and no extra hops for users that have never logged on
2. User Auth to take precedence, that way once a user logs on, the User auth is what is presented for VLAN reasons detailed above, as well as once users are disabled or locked out, they fail authentication, etc.
3. User Authentication on ONLY domain machines, without having to logoff, reboot, to get that cached machine auth. It doesnt seem like even on Successful auths, that there is any information inside auth that I can use. All the attributes are for the user. On just Machine Auths, i can see the Machine Member of Domain Machines, just like users are members of all their groups, etc. Is there a way to pull this information from a machine during a user auth?

------------------------------
Tony Anderson
------------------------------

You have three options:

1) Use PEAPv0/EAP-MSCHAPv2 with machine auth only
2) Use EAP-TLS with machine auth
3) Use TEAP with EAP-TLS and machine + user

#2 is the best balance of simplicity and security.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Feb 04, 2021 10:14 AM
From: Tony Anderson
Subject: User Auth only on Domain Machines

We have Clearpass configured for both Machine and User Authentication on both the wired and wireless. The Authentications are working correctly. If a machine boots up, it does machine auth, get the correct vlan, etc. Once a user logs on, it reauthenticates, and the VLAN remains the same, or gets reassigned based on the user. (IT machines\Users get separate vlans since ACL's restrict access to admin tools and consoles from only specific IT Vlans). This is all working correctly.

However, a while back we discovered that on the Wireless side because of how some devices function, if you went to join the network on a Non domain joined machine, it would prompt for username and password. Upon entering a valid username and password, the device would get joined via user authentication. We didn't want employees (or an attacker with compromised creds) to be able to connect a non-domain machine or device to the Corporate wireless). Supports solution, and this was years ago now so i am not sure what this issue, which ill get to you in a second is just now coming up, but the solution was to add a second condition for Machine Authenticated. 

Here is the problem. User brings their machine in for the day. hooks it to the LAN, works for a while, but then has to go to a meeting. They undock the machine to go to a conference room, and the machine refuses to connect to the wireless. When I look at the Deny request, its because there is only User information attached. Now if they logoff or reboot. the machine comes up and authenticates, then they logon, and they are good to go. And they can swap back and forth, etc. My assumption, is that this is because there is now a machine auth that has been cached, and Clearpass can use that Auth in conjunction with their user auth, and be fine. Until the Cache times out. 

Here is what I am trying to accomplish. 1 and 2 are already in place and working
1. Machine Authentication- Maintain this, so that machines on the wired or wireless will continue to get updates, etc. and no extra hops for users that have never logged on
2. User Auth to take precedence, that way once a user logs on, the User auth is what is presented for VLAN reasons detailed above, as well as once users are disabled or locked out, they fail authentication, etc.
3. User Authentication on ONLY domain machines, without having to logoff, reboot, to get that cached machine auth. It doesnt seem like even on Successful auths, that there is any information inside auth that I can use. All the attributes are for the user. On just Machine Auths, i can see the Machine Member of Domain Machines, just like users are members of all their groups, etc. Is there a way to pull this information from a machine during a user auth?

------------------------------
Tony Anderson
------------------------------
​