Security

Domain :Education K-12

We have a set of 24 laptops which will be shared by students , currently the network is setup with Microsoft NPS server with radius authentication. We are trying to implement user authentication with Clearpass .

Steps taken

1)Created a separate ssids for students  and staff on the aruba central pointing to clearpass auth server.

2) Created a GPO to implement 802.1 via user authentication

3)Created User Roles in the central to direct the users to specific webservice in the clearpass (student-ws,staff-ws)

4) Created enforcement /profiles with clearpass to categorize devices to point to correct setup ( via aruba support)

Now the issues happens when staff logouts from the machine and when a student tries to login , he cant logon , its says no connection to the domain network .

While checking the access tracker , it shows that the machine(student) is trying to connect via the staff prfile and is rejected.

What i am trying to achieve is that , those machines are school owned , but when ever someone uses them i need to get the user-details .

I am not sure whether the WAP is giving the wrong role to the clearpass .

Right now , while checking the aruba central those ssids are not visible under WLAN setting also.

Just wondering whether someone has came across the issue

The client laptop needs to be configured for machine authentication, and ClearPass needs to be configured to process machine authentication (allow authentication from the AD Group Domain Machines).  If machine authentication is not configured, new users cannot login to the laptop wirelessly without using the wired connection.

Is there a way , were in which we can use first machine authentication and then user authentication. We need user details for audit purposes.

The client device (Windows) can be configured for machine and user authentication.

@itguru, to your request for machine AND user authentication;

This is best accomplished via TEAP. its a very recent 802.1X Windows 10 supplicant enhancement, it came out about 2 months back. we added the capability for TEAP to CPPM 6.9 as we worked directly with the M/Soft Windows development team on this feature, what your asking for is generally refereed to as EAP- chaining.

For example as part of the inner EAP authentication, you could initially perform EAP-TLS to use a machine cert to validate the device, then use EAP-TLS or EAP-MSCHAPv2 to validate the user.

Danny,

This is slightly off the subject, but I wanted to confirm that while TEAP is a mechanism allowing simultaneous chained authentications from a client device it still doesn't make MSCHAPv2 as secure as a certificate passing through the TLS tunnel.  In other words when using TEAP with MSCHAPv2 as an inner method we still have the same security concerns as EAP-PEAP?

So you can elect to use EAP-TLS for both the machine and user inner authN.

I was just providing an example, but the world today in enterprise land for 802.1X is still unfortunately predominantly using username/password for creds, the move to certs is happening but to slow for my liking.