Security

hi ,
I have configured a service using template : " Aruba 802.1X Wireless" on ClearPass 6.5.1 .
I have configured a RADIUS Proxy server for CheckPoint to allow the ChecPoint Identity awarness , and in the enforcement policies have configured this rule :

               (Tips : Role EQUALS [ Authenticated User ] )
AND (Tips : Role EQUALS [ Machine Authenticated ] )

Because i need to verify :
- User is an Active Directory users
- Machine is a machine reconized by the Active Directory server ( so not a personal device)

This type of configuration works fine in other environment , in this specific where the only difference is radius proxy , the enforcement policy not works and ALL devices have access .

Other issue that i have encountered is that the cleint request have like username the email: "name.surname@company.com"

I think is due to windows OS, and the authentication fails.
if i force the username in this form "name.surname" all works.

any idea?

thanks in advance

---

@Andrea wrote:

Other issue that i have encountered is that the cleint request have like username the email: "name.surname@company.com"

I think is due to windows OS, and the authentication fails.
if i force the username in this form "name.surname" all works.

any idea?

thanks in advance

---

@You have two options to resolve this.   In your Service configuration, configure the Authentication settings to strip the @company.com of the login.  This will authenticate all users using the username only.

Alternatively, you can configure your Authentication source filter to look at both the sAMAccountName and the userPrincipalName:

(|&userPrincipalName=%{Authentication:Username})(objectClass=user))(&(sAMAccountName=%{Authentication:Username})(objectClass=user)))

Hi,
thanks for your answer, tomorrow i'll try to follow your suggestions.

But for the failed machine authentication i have no idea to how solve.

Seems that "the enforcement policy" not works.

Can you help me?

Best regards
Andrea

Can you supply the Access Tracker export for that failed attempt?  It may help us understand your situation.

Hi,

i want that a cleint for have access to networks have to pass booth my verification

- User Authenticatd

- Machine Authenticated

The problem is , clients have access if they pass at least one of two.

I have tryed to set only "machine authentication" but seems not working.
If the user ID is valid he have access.

In the access traker you see only one authentication, only user or only machine.

usually i have to see two authentications for each client.

Best regasrds
Andrea

Is the client pre-configured for "User or Computer authentication"?

Hi,
sorry for the delay.
The client is configured correctly, i have already configured this type of authentication and works fine in other enviroments.

It seems like the condition "user and machine are authenticated" is read like "User OR Machine"
But i have verified that is set an "AND" and not an "OR"

Do you know a debug which can help me?

Thanks
Andrea

After the user gets to the desktop, do you see a second authentication?

No,
i see only one authentication.
Some time i see only machine authentication other time i see only user authentication.

For example if you use a smart devide which usually not do Machine authentication, its pass the user authentication and have access to the network.

That's correct. Only Windows AD-joined machines will work with machine authentication.

So from a fully powered off state, when you boot up the Windows device, it should Machine Authenticate once it hits the log in screen. Then once a user logs in, you should see a User Authentication. In that sequence, do you not see that happening?

yes.

But for example the smart device have access to the networks also if aren't machine authenticated.

If you're trying to block all devices that don't pass machine authentication, then each of your rules needs to contain TIPS ROLE EQUALS [Machine Authenticated]

Hi,
I have already configured my enforcement policy in this way:
(Tips : Role EQUALS [ Authenticated User ] )
AND (Tips : Role EQUALS [ Machine Authenticated ] )

but without success.
I have tried to configure only:
"Tips : Role EQUALS [ Machine Authenticated ]"
But no change.

thanks

Andrea

In attach all screen.

The problem is in your enforcement policy.  Your "default" profile in your enforcement policy is what happens if none of your rules in your enforcement policy is matched.    Your default profile should be a deny-all.

Thanks now now works!

It is curious because i don't have edit this field, i left it as default after wizard, but in effect it contains an allow all profile.

thank agains
this issue, drove me crazy.

Best regards
Andrea

---

@Andrea wrote:

hi ,
I have configured a service using template : " Aruba 802.1X Wireless" on ClearPass 6.5.1 .
I have configured a RADIUS Proxy server for CheckPoint to allow the ChecPoint Identity awarness , and in the enforcement policies have configured this rule :

               (Tips : Role EQUALS [ Authenticated User ] )
AND (Tips : Role EQUALS [ Machine Authenticated ] )

Because i need to verify :
- User is an Active Directory users
- Machine is a machine reconized by the Active Directory server ( so not a personal device)

This type of configuration works fine in other environment , in this specific where the only difference is radius proxy , the enforcement policy not works and ALL devices have access .

 

---

With regards to this failure, can you send a copy of the Access Tracker logs so we can have a look at your service configuration for this specific event.