Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Control of the devices able to logon to our network

This thread has been viewed 0 times

  • 1.  Control of the devices able to logon to our network

    Posted Aug 06, 2012 09:33 AM

    Hi,

     

    There might be something obvious I'm missing out, but I've been playing with a config on our lab controller where we use machine authentication for our windows devices connected to our domain. Using a Win2008 NPS, this works like a beaut, no issues there.

     

    Maybe I'm approaching this from a totally wrong angle - But of course we have one or two MacBook users and how to approach this issue, since they don't support machine authentication?

     

    I was hoping to have some sort of combination that if machine authentication fails, then a username and password with MAC authentication should be a minimum in order to be able to logon to the network, but is this at all possible?

     

    Machine authentication alone - they get assigned authenticated

    User/password with a valid MAC address in our domain as a user - they get assigned authenticated.

     

    As I said, don't know if this is possible and quite possibly I'm approaching the entire thing completely wrong.

     

    We're running 6.1.3.2 on our lab controller.

     

    Any ideas or advices would be greatly appreciated.

     

    Tommy



  • 2.  RE: Control of the devices able to logon to our network

    Posted Aug 06, 2012 09:55 AM

    When using machine authentication, the controller caches the MAC address of successfully logged on machines (the time is customizable in the dot1x profile under advanced "Machine Authentication Cache Timeout".  If you hvae non-domain machines that you want to pass your machine authentication tests, just add their MAC addresses to the internal database on the controller.  This will trick the controller into thinking it passed machine authentication, getting you the role you desire.





  • 3.  RE: Control of the devices able to logon to our network

    Posted Aug 07, 2012 04:17 AM

    In the AAA profile, besides having a 802.1x rule which check the computer name against our AD, does this mean setting up a MAC authentication profile and having our NPS defined in the server group (And having that MAC address as a user with the same password) or does it have to be in the internal DB?



  • 4.  RE: Control of the devices able to logon to our network

    Posted Aug 08, 2012 12:40 PM

    What I described (the caching of the MAC during the enforce machine authentication setting) is done only in the Internal datbase.  There are no MAC Authentication profiles or Server Groups to setup in this instance (as it is not doing actual MAC authentication).    If you are enforcing machine authentication through a dot1x profile, by adding the MAC address of a device to the internal DB, you'll trick the controller into thinking it has successfully authenticated in the past.  Take a look at your Internal DB, you should see the MACs of successful computers in there.