Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cant login to PC joined Domain with New User profile

This thread has been viewed 0 times

  • 1.  Cant login to PC joined Domain with New User profile

    Posted Dec 19, 2016 06:49 AM

    Hi

     

    I have configured CPPM for two services to authenticate wired users.

    One to authenticate the wired users whom dont have 802.1x enabled on their devices.

    1.GIF

    and one to authenticate users whom have 802.1x enabled on their devices

    2.GIF

    The domain member users can authenticate properly as planed.

    But I got a problem when a new user want to connect to a domain member device but this user is logging for the first time.

    In this case the port will be assigned to the quarantine VLAN because the user didnt pass the healthcheck yet, and since the quarantine VLAN doent have access to domain, then the new user will not be able to login...

     

    I think we have to use what is called machine-authentication here, right?

    If yes, then how to configure the machine authentication rule and what is its position?

     

    Thanks



  • 2.  RE: Cant login to PC joined Domain with New User profile

    Posted Dec 19, 2016 09:30 AM

    You could use:

     

    TIPS role Equals [Machine Authenticated] --> MachineAuth-VLAN

     

    Then configure the machine auth VLAN to restrict access to only allow domain login.

     

    Put the rule at the bottom of your 802.1X enforcement policy.

     

    Cheers

    James

     



  • 3.  RE: Cant login to PC joined Domain with New User profile

    Posted Dec 19, 2016 09:51 AM

    are the authenticated users assigned to "User Athenticated" role

    and the autenticated machines assigned to "Machine Authenticated" role by default without any role-mapping policies? 

     

    But is this case the PC will be assigned to this MachineAuth-VLAN before the user enters the credentials, so what will hapen after the user gets in, is the authentication process will be repeated all over again, so the user will be assigned to a new VLAN based on his authentication?

     

    Thanks



  • 4.  RE: Cant login to PC joined Domain with New User profile
    Best Answer

    Posted Dec 19, 2016 10:40 AM
    mahmoud.yasin@ad-tech.com.jo wrote:

    are the authenticated users assigned to "User Athenticated" role

    and the autenticated machines assigned to "Machine Authenticated" role by default without any role-mapping policies? 

     

    But is this case the PC will be assigned to this MachineAuth-VLAN before the user enters the credentials, so what will hapen after the user gets in, is the authentication process will be repeated all over again, so the user will be assigned to a new VLAN based on his authentication?

     

    Thanks

    Yes, the machine authed device will get the machine authenticated role without any additional role mapping.

     

    When the user logs in this will trigger another 802.1X authentication request.