Education

Reply
Occasional Contributor II

Re: Radius machine authentication




Can anyone tell me if this is an Aruba design choice, or if this behaviour is part of the 802.1x RFC? I have asked our Aruba tech. rep. about this, but it would be useful to know if there is some RFC requiring this behaviour.

Guru Elite

Option

"Enforce Machine Authentication" is an Aruba option. It is not part of an RFC. The ability to place devices in different roles based on whether a user or a domain computer passed authentication is an exclusive Aruba feature. This option is off, by default.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Radius machine authentication




Thank you. This is good to know - I am continuing to test our various scenarios with enforce machine auth turned off, and will report back my findings.

Aruba Employee

Re: Radius machine authentication

One thing that I do sometimes with Machine Auth on is make the Machine Auth and User Auth role the same so I can see who is passing what without effecting any users. You can then look to see how they Auth'd and see who is passing and who is failing. Everyone will be in the same role but those who pass you will see 802.1x-user or 1x-mach or just 1x for those who pass both.

Gary
Occasional Contributor II

Re: Radius machine authentication


One thing that I do sometimes with Machine Auth on is make the Machine Auth and User Auth role the same so I can see who is passing what without effecting any users. You can then look to see how they Auth'd and see who is passing and who is failing. Everyone will be in the same role but those who pass you will see 802.1x-user or 1x-mach or just 1x for those who pass both.

Gary




Thanks, this is a good tip. It appears that enforcing machine auth is not flexible enough for our environment, and am currently working with the following for testing:

initial-role logon
mac-default-role logon
dot1x-default-role logon
ie: don't give any access without matching a server rule.

I am then using Server Rules to set rules based on the response from a successful dot1x auth, whether it is machine OR user auth.

This allows me to have different roles as follows:

For domain computers, where I can enable machine auth on the client using group policy, the role can be determined by AD group membership of the computer account, so different domain PCs can have different roles. Also using GP I can enforce ONLY machine auth, so the computer will have a fixed role and never attempt dot1x user auth, which is closer to what we have now with wired PCs.

For non-domain computers, or domain computers without the above GP, the dot1x user auth will provide the appropriate role/vlan.

The achieves the goal of giving a single AD domain user account different roles for different machine types - the typical domain computer will user X will get one role, while user X on his personal laptop will get a different role.

If there exists a way to combine a machine auth + user auth to give a different result from just a user auth, please let me know. (without enforcing machine auth on the controller, as that does not work). I have not found any mention of having the machine auth affect the behaviour of a subsequent user auth.

ie: I can't do this:
machine X + user X = role A
machine X + user Y = role B
user X only = role C
user Y only = role D

I can do this if machine X does ONLY machine auth:
machine X + user X = role A
machine X + user Y = role A
user X only = role C
user Y only = role D

Or, I can do this if machine X does both machine and user auth:
machine X + user X = role C
machine X + user Y = role D
user X only = role C
user Y only = role D

Hope this makes sense.
Regular Contributor I

Re: Radius machine authentication

I didn't have time to read through all the posts but the way I get around this issue is by using IAS and group policy.

If the device isn't a member of the domain, AND doesn't belong to a Wireless access Group, then the device doesn't get authenticated.

The only negative that I've seen so far is that laptops could be sitting at the login prompt and be using up a little bandwidth.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: