Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Authenticate Non-Domain Machine against NPS to give access to corporate LAN

This thread has been viewed 0 times

  • 1.  Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 20, 2015 10:50 AM

    Just wondering if anyone has any suggestions on this or if I am even going about this the right way.

     

    I am trying to get a non-domain machine authenticated agains my NPS server to give it network acces. The device is a wireless barcode scanner for inventory that needs to talk back to the database sitting on our corporate LAN.

     

    I already have a WLAN for our corporate LAN that does machine authentication for domain comuters and gives that laptop access to the LAN but I am struggling on how to get a non-domain machine onto our network.

     

    I have created a self signed certificate on my NPS server and exported it and installed it onto the non domain machine and added Microsoft Smard Card or other certificate with the self signed certificate to the Authentication Methods to the existing rules on my NPS hoping that this would be all I need to do to allow the machine with the self signed cert access to the network. But it is not working. The machine just pops up a message saying in can not connect to the WLAN. 

     

    Not sure if there is something configured wrong on the Aruba controller or my NPS server

     

    Is this even the a possible way of getting a non domain machine access to my corporate LAN or am I going about this all wrong. If there are any other ideas or a better way of accomplishing this I would really appreciate any suggestions.

     

    If you need more details please let me know and I will provide as much as possible.



  • 2.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 20, 2015 10:54 AM
    Are you doing username password authentication or certificates for users?


  • 3.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 20, 2015 11:04 AM

    Username and password for the users



  • 4.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 20, 2015 11:07 AM
    You need to use the Protected EAP option on the client, not smartcard. 


    Thanks, 
    Tim


  • 5.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 20, 2015 11:22 AM

    If I wanted to use the certificate for the user would I select the smartcard or certificate option?

     

    I tried the Protected EAP and still could not get connected on the non-domain device



  • 6.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 20, 2015 11:35 AM
    Did you issue a client certificate to the device? It sounds like the certificate you installed was the server cert.



    Thanks, 
    Tim


  • 7.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 20, 2015 11:48 AM

    All I have done so far was created the self signed certificate on the NPS server exported the root certificate with just the public key and then installed that onto the non domain device in the Trusted Root Certification Authorities section.

     

    I have not issued any client certificates yet. Should that be my next step?

     

     



  • 8.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 20, 2015 12:08 PM
    Yes, you would need to create an AD certificate authority unless you have an existing PKI infrastructure. 


    Thanks, 
    Tim


  • 9.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 20, 2015 03:07 PM

    ok I will look into this and see what I can come up with. We do have an existing AD Certificate Authority so hopefully i can get something to work.

     

    If i get anything working I'l post what i did

     

    Thanks for the input!



  • 10.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 20, 2015 03:59 PM
    Is there any specific reason why you're not just doing username/password?
    Just curious.


  • 11.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 20, 2015 04:04 PM

    I haven't really thought about just doing username and password.

     

    I just went with the certificate way because I thought I needed to get the machine authenticated first and then the username and password could be used.

     

    Didn't really think of just using username/password since it is a non domain machine.



  • 12.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 21, 2015 09:52 PM

    Username/password is the easiest solution if you don't have an existing PKI or something like ClearPass Onboard.



  • 13.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    Posted Jan 26, 2015 09:56 AM

    I ended up using user name/password for Authentication. And it worked.

     

    Would there be any added benefit to use MAC authentication for added security kind of like dual authentication by added the devices MAC address to the internal DB or am I just complicating things?



  • 14.  RE: Authenticate Non-Domain Machine against NPS to give access to corporate LAN

    EMPLOYEE
    Posted Jan 26, 2015 09:58 AM
    If you don't have a policy server like ClearPass, I would just stick to
    802.1X.