Security

Reply
Highlighted
New Contributor

Custom endpoint attribute behaviour in case of Machine Authentication Cache Timeout

I’m trying to configure 802.1x machine+user authentication in wired Cisco network. I’m using ClearPass Policy Manager 6.8.3.110034.

In my 802.1x service I want Endpoint attribute to be set to true after machine is authenticated successfully.

enforcementTab.png

boolAttribute.png

If user is trying to authenticate than, “MachineAndUserAuthenticated-Role” role is applied if Endpoint attribute was set to true.

rolesTab.png

If “MachineAndUserAuthenticated-Role” role was applied after successful authentication, user is authorized to access VLAN2, if not user is authorized to access VLAN1.

enforcementTab.png

This configuration is working well except one case. After a machine is authenticated successfully Endpoint is added to Endpoints repository and it has custom Endpoint attribute set to true. I have also set “Machine Authentication Cache Timeout” to one hourserviceParameters.png

I wanted to test if after one hour user will be authorized to access VLAN2 if machine authentication won’t be executed again. I expected it won’t be possible but user Is authorized to access VLAN2 no matter how long I’m waiting(1,2,3h…). To make sure that successful machine authentication won’t occur again I’m temporarily modifying a rule to make sure this won’t be matched.

modifiedRule.png

After I manually delete endpoint from repository it is working as expected – endpoint attribute is not being set to true after machine authentication and user is authorized to access VLAN1 only.

 

I made this configuration based on some examples found on forum. I thought Endpoint attribute will be cleared after “Machine Authentication Cache Timeout” will pass but maybe I didn’t understand the concept. Can someone tell me how to make this configuration to make sure that user won’t be authorized to access VLAN2 if “Machine Authentication Cache Timeout” was passed and machine wasn’t authenticated again?

Guru Elite

Re: Custom endpoint attribute behaviour in case of Machine Authentication Cache Timeout

If a user successfully passes authentication with the same mac address, the machine authentication timeout will be renewed.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Custom endpoint attribute behaviour in case of Machine Authentication Cache Timeout

is timeout renewal also possible after machine authentication timeout has been passed long time ago?

Does it mean that naext time I don't have to use machine with valid certificate and I can just use some machine with the same mac address?

New Contributor

Re: Custom endpoint attribute behaviour in case of Machine Authentication Cache Timeout

What is the idea behind custom endpoint attribute? Does it ever go false or null in natural CPPM workflows? What is the goal to use it as some examples show to do?

Guru Elite

Re: Custom endpoint attribute behaviour in case of Machine Authentication Cache Timeout


@mrzepecki wrote:

is timeout renewal also possible after machine authentication timeout has been passed long time ago?

Does it mean that naext time I don't have to use machine with valid certificate and I can just use some machine with the same mac address?


Timeout renewal is not possible after machine timeout has passed.  It can be renewed by a machine or user authentication with the same mac address if the timeout has not passed.  If it has passed, only a new machine authentication can restart it.

 

If the timer has not expired any valid 802.1x authentication with the same mac address would renew the machine authentication cache.

 

The most secure organizations use machine-only authentication with an eap-tls certificate and do not rely on the machine authentication cache.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: Custom endpoint attribute behaviour in case of Machine Authentication Cache Timeout


@mrzepecki wrote:

What is the idea behind custom endpoint attribute? Does it ever go false or null in natural CPPM workflows? What is the goal to use it as some examples show to do?


The custom endpoint attribute never goes false or null and it is persistent.  This is mac address-based however, and a device that fakes the mac address of a device that has already machine authenticated would get elevated privileges.  It is better from a security perspective to just deploy machine-only authentication with EAP-TLS machine certificates to avoid all of those issues.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: