Security

At this moment I configured 802.1x with a 2008 radius server to authenticate computers and users, which works fine. But non domain devices (like iPhones) can also authenticate to the wireless network as long as they provide a valid domain user account. Is there a way to configure this differently so users can only authenticate when theyre on a valid domain computer?

You have 3 options:

1)  Use enforce machine authentication in the controller

http://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm?Highlight="machine authentication"

2) Utilize ClearPass Policy Manager for advanced device identity

3) Issue client certificates to domain devices via GPO and restrict connections to EAP-TLS.

Hi Tim, thanks for your fast respone :)

I enabeld Enforce Machine Authentication in the relevant 802.1x auth profile, but I can still connect my iPhone as long as i provide a valid domain account. Any thoughts?

Edit: seems like we cross posted :) I will read the link you provided!

In windows nps creat one policy with machine only rule. and assigned that to the controller.

make sure that your req is hitting correct policy..

Yeah that's right.

it'll enable machine authentication only. user auth will not work.

Hi Enveekaa,

I wrote a post about this issue a few months back:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/m-p/208471/highlight/true#M15856

It's a more advanced config in Clearpass, but it allows you to do Computer and User auth at the same time.

Hope it helps!

-Mike

Thanks for all the info guys, I fixed it by enabling "Enforce Machine Authentication" and remove the user auth option from the radius server.

Edit: This isnt a workable situation tbh, I tested some more and if the Machine Auth expires (eg the laptop goes sleep) the user can't authenticate anymore and is denied network access.

I setup a Windows 2012 R2 NPS Server, this might provide me the options I require. Ill report back if I  have more info))

I think I have a decent solution at the moment.

I created a policy on the NPS server thats only allows computers to authenticate and configured the wireless connection on the laptop to only attemp computer authentication.

In my first test I did not disable user auth in the 802.1x settings on the laptop, obviously this caused auth to fail as soon as the laptop would attemp user auth.

Does this implementation has any side effects im missing? 

Hi enveekaa,

The only caveat about going an all Computer Authentication route are those devices that can not perform Machine Authentication, like Apple laptops and most BYOD devices.

-Mike

With this setup, you will lose user identity.

For now this seems perfect, non domain devices are provisioned via a guest network and a self register page where end user can accept an eula and are added to the mac database dynamically. Currently we dont allow any non domain device on the prodution network. 

Thanks for help!

Good to know that your problem has solved..

Cheers

Hi guys,

Sorry, probably it could be offtopic, could you please explain me auth traffic flow between Fortigate - RSSO CPPM - AD ?

For some devices in my network, I have some issues with authentication. I will give you two examples:

Two sites, each with virtual controller and AP Aruba, both controllers have identical config. If I try to authenticate my iPhone on site 1 (iPhone is not in the domain) with my domain credetials to connect to Wi-Fi 802.1x, everything works fine, Fortigate associates my iPhone to correct group and traffic bypass correct policy. If I try to do the same on site 2, Fortgate sees my login, but do not associate my username to correct group and traffic bypass wrong policy.

What could be the issue? RSSO? Configuration of Enforcement?

Screenshot log.png:

1. First and second line - on site 2

2. Third line - on site 1

Third line - correct policy, Firts and second - wrong.

User is authenticated and has internet connection. The difference is only which policy access this traffic on Fortigate. Since I would like to have all traffic authenticated, I cannot user anymore policy for unauthenticated traffic.

Screenshot fgt.png - Fortigate sees three lines similarly. Probably it can give you some ideas also.

Please give me some ideas. Thanks!