Security

We are having an issue with a valid Active Directory user account, that has a restriction in AD to only allow a login to come from a specific workstation.  Our dot1x Windows configuration does Computer & User authentication.  The Computer (Machine) authentication works perfectly fine and the computer is able to machine auth correctly and join the network.  When the user logs in with a machine restricted account, they receive a reject message and are unable to join the network.  It appears the that ClearPass is not sending the entire auth message to AD in this case and thus failing auth, because the workstation ID is not passed with the RADIUS auth.  I have attached the ClearPass Alerts tab.  Has anyone seen this issue and is there a work around in the 802.1x Sertvice in Clearpass that can handle workstation restricted accounts.

What do you mean by this " When the user logs in with a machine restricted account" ?

Did you recently added this account in AD ? if you did try clearing the cache under the AD authentication source.

In access tracker under Input > Authorization Attributes , do you see the user information there ?

Hi Victor,

 

A machine restricted account is an AD user account that is only allowed to log into a specific windows machine that is registered in AD.  If the user tries logging into a different machine with this account they will be rejected by AD.  This is not a new Account it has been around for years. 

 

In Access Tracker, Input tab, no Authorization Attributes show up with this type of account.  See attachment.

 

Question:  when ClearPass queries AD to valiudate the user account, does it send workstation attributes with the request, or is that stripped out of the query?

Question: when ClearPass queries AD to valiudate the user account, does it send workstation attributes with the request, or is that stripped out of the query?
Not when is doing User auth

This probably not going to work the way you are doing it.

You need to add the ClearPass computer accounts to the users allowed logon workstations. 


Thanks, 
Tim

Try doing this instead:

 

- First you need to tag with a custom attribute when the laptop does Machine auth

 

- Then create a ClearPass post auth enforcement profile using that attribute

 

- Then use this attribute when the laptop perform machine auth , make sure to put this at the top of your rules so it is apply

- Then in your user auth make sure to add a rule that allows only access when the user is using that laptop

 

Note: Make sure that in the other rules you include something like this:

 

Victor,

 

We already have been using a custom attribute to valudate machine auth, like you defined below.  I don't believe this wiull solve the fundamental problem.  The problem being that when the user auths, ClearPass only sends the user info to AD and not the workstation ID, so AD will always reject the request.  AD is expecting to see the user ID and the workstation ID in the request.  Is there any way to solve this?

Try tim's suggestion:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-Auth-fails-when-account-logon-is-limited-to-specific/td-p/126217

Hi Victor, that would work, but then it give the user ID the ability to login from any workstation, making that account have no workstation restrictions.  We could just removed the workstation restrictions in AD and get the same result.  I am thinking this is not going to be possible.  One idea is that we only have thie workstation do machine (computer) auth only fomr Windows.  No User auth would be generated.  This would allow the machine to auth and be on the network.

Keep in mind the network auth is separate from the actual domain authentication. Allowing the ClearPass account simply allows that account to authenticate using ClearPass. 


Thanks, 
Tim

 I hear what you are saying Tim.  I will need to get my AD guys involved to test this works and the user account is still restricted to a single machine.  My thoughts are that this will allow access from any machine where were are doing 802.1x auth on the switch port and ClearPass is involved.  If that proves to be true, then this solution will not work for us.  I will keep you posted on our testing.  Thanks to both you and Victor for your responses.

Well, no. This will only allow the user account to authenticate against ClearPass. It doesn't change the existing access controls because that is covered by computer->DC authentication.