09-05-2017 08:42 PM
I have an SSID that uses PEAP/MSCHAPv2 to authenticate users and machines against AD. Via GPO, we have configured all corporate devices for 'User or Machine authentication' and only allow users that have also been machine authenticated. So far so good.
1) Allow domain devices with local accounts logged in. These devices continually authenticate with local creds that are not in AD and are rejected. Even if I set a policy to allow these devices on via an attribute that I set, they still get login status REJECT even though the enforcement profile is "[Allow Access Profile]". Am I mixing up authentication with authorization? Any way to have just an endpoint attribute allow a device on the network?
2) Allow devices that are not even domain devices (iPads) but may have valid users. Similar situation as above.
If it helps, I'm working with Aruba APs and 3600/72xx controllers. Thanks for any tips/advice.
Solved! Go to Solution.
09-05-2017 08:46 PM - edited 09-05-2017 08:50 PM
With 802.1X, authentication must pass before moving on to authorization. Unfortunately the situation you're referencing is common and is a limitation with in the Computer + User logic in the Windows supplicant.
The only real options for any of these scenarios is to move away from the legacy PEAPv0/EAP-MSCHAPv2 and move over to EAP-TLS where you can build trust boundaries and move away from the legacy password construct.
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |