Security

I"m trying to setup a new Aruba deployment in our office and I'd like to test it a bit before I open it for all.  One thing I'm having problems with is the Radius Authentication.  I had a bit of help from TAC to setup the initial SSID and authentication but it's not working the way I wanted.   What I would ideally want is to send a role back to the instants of Employee if the Active Directory User credentials are valid AND Active Directory Hostname exists, then send the role of Employee_BYOD back if the AD User credentials are valid and the AD hostname doesn't exist but I can't seem to get this to work.  My AD computer seems to only pass the hostname credentials to the ClearPass radius server, so it passes the hostname as "host/<machine>.<domain>.com" and the userdn is actually the hostname "<machine>" and the actual AD user isn't being authenticated at all.  When I attempt to connect via my phone that's not in AD, it authenticates against my AD username because that's what I have to enter, but the computer doesn't ask for any credentials, it just auto signs in with the Machine name.

Any help?

---

@Carrun wrote:

I"m trying to setup a new Aruba deployment in our office and I'd like to test it a bit before I open it for all.  One thing I'm having problems with is the Radius Authentication.  I had a bit of help from TAC to setup the initial SSID and authentication but it's not working the way I wanted.   What I would ideally want is to send a role back to the instants of Employee if the Active Directory User credentials are valid AND Active Directory Hostname exists, then send the role of Employee_BYOD back if the AD User credentials are valid and the AD hostname doesn't exist but I can't seem to get this to work.  My AD computer seems to only pass the hostname credentials to the ClearPass radius server, so it passes the hostname as "host/<machine>.<domain>.com" and the userdn is actually the hostname "<machine>" and the actual AD user isn't being authenticated at all.  When I attempt to connect via my phone that's not in AD, it authenticates against my AD username because that's what I have to enter, but the computer doesn't ask for any credentials, it just auto signs in with the Machine name.

 

Any help?

---

Carrun,

Devices that authenticate via radius can only send one set of credentials at a time.  If it is a handheld device, only a username and password can be sent.  Windows devices are capable of sending the user's username, or the devices username, but not both at the same time.

Please see the thread here:  http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Enforce-Machine-Authentication/td-p/58918

Thanks for the clarification.  I guess, I'll authenticate on PC name only for Windows devices.  It's not my preferred solution but I think I can make it work.

Thanks!

Carrun,

Here is what you do:

Use group policy to push out a configuration, which will have the Windows machine authenticate as a computer, when it boots up at the ctrl-alt-delete screen, then authenticate at the user when the user actually logs in  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-How-to-create-a-Wireless-Group-Policy-on-Windows-2008/td-p/11768

In the link in the post before, CPPM assigns a pre-built role of [Machine Authenticated] to track of devices that have ALREADY machine authenticated, and you can combine that with the [User Authenticated] CPPM role to determine what devices have passed both.

If you want to test the Windows computer authenticating in at bootup and the user logging in at the ctrl-alt-delete screen, when you configure wireless on the Windows 7 device, under the IEEE> Advanced settings, you need to make sure that "user and computer authentication" are selected.  By default, only computer authentication is selected, when you just try to click on a WLAN in Windows 7.