If you use machine authentication, or machine and user authentication, ClearPass will automatically detect if the machine is doing (or has done) machine authencation. You can use the TIPS role Machine Authenticated for this.
So, really simple. Just allow authentication that contains the role Machine Authenticated. Or also use EAP-TLS for corporate managed devices which make it even more easy.
@Fabian Klaring wrote:
you need to add a rule in your enforcement policy/role mapping that validates the machine in AD
If you use machine authentication (eap-peap) you can make a basic rule like:
Authorization:CorpAD:UserDN CONTAINS OU=Computers,DC=company,DC=local
Or more basic:
Authorization:CorpAD:UserDN EXISTS
If the client not passes this rules, it is not a AD joined device and should be denied access. for every exception, just add the new rule above this one (if you use first-applicable).
This is not completly correct. The check UserDN EXIST is always true even if the user/machine doesn't exist. The UserDN is empty at that moment but still exist. Sometimes I have to create a check like this but in that case I use a REGEX that will check if the DN us not empty. For example
UserDN > NOTMATCH REGEX > (.|\s)*\S(.|\s)*