Security

Reply
Highlighted
Trusted Contributor I

Re: Enforce Machine Authentication

I now see something different when issuing the show user ip command:

 

Role Derivation: Aruba VSA

 

However, my role is still the user role once logged in.

 

My enforcement profile must not be correct.  I need some way to say "if machine authenticated + user authenticated = this role".  I'm not sure how to configure that in an enforcement policy.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Guru Elite

Re: Enforce Machine Authentication

role.png- Uncheck Enforce Machine authentication on the Aruba controller, because that will just ignore your VSA

 

In the Enforcement Policy, check to see if tips role = [user authenticated] and tips role = [machine authenticated] then {Enforcement Profile].  Make sure it says "Match All" to satisfy the rule.  In this example it sends the Employee Access Radius Enforcement Profile, but it could be any Aruba VSA.

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars

View solution in original post

Highlighted
Aruba

Re: Enforce Machine Authentication

I don't think that is possible in CPPM.  That is the function of the 'enforce machine authentication' option on the controller in the dot1x profile.     If CPPM can do this on its own, I'd be interested in this as well.

 

From your last post, it looks like CPPM is still assigning the role.    Double check your last logon in Access Tracker; look at the output tab; is a role being assigned there?  You can also verify the enforcemnt policy being applied for that logon.

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted
Trusted Contributor I

Re: Enforce Machine Authentication


@cjoseph wrote:

 

In the Enforcement Policy, check to see if tips role = [user authenticated] and tips role = [machine authenticated] then {Enforcement Profile].  Make sure it says "Match All" to satisfy the rule.  In this example it sends the Employee Access Radius Enforcement Profile, but it could be any Aruba VSA.

 


I'm getting the correct role, now.  Access tracker shows [Machine Authenticated] and [User Authenticated] in the Roles.

 

I wanted to be sure that a user logon (without machine auth) would not result in the authenticated role being assigned.  On my test laptop, I disabled wifi, cleared the IP from the user table, then enabled wifi.  It's getting the authenticated role when it should be denied (no enforcement policy to match only [user authenticated]).  I'm not sure if CPPM is caching the machine state, but access tracker shows [machine authenticated] and [user authenticated].  I should only be passing user authentication, so I'm not sure what's going on.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Guru Elite

Re: Enforce Machine Authentication

CPPM does cache the machine authentication state for a certain amount of time, and it resets the timer every time there is a successful user authentication from that mac address.

 

The time it caches is at Administration> Server Manager> Server Configuration> Click on the Server> Service Parameters:

 

machine.png


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Trusted Contributor I

Re: Enforce Machine Authentication

Ahh, well that makes sense.

 

I tested connectivity with some non-windows devices and received the user role (created an enforcement policy/profile as a test) as expected.  Very good!

 

I added an additional condition below to my enforcement profile that matches [machine authenticated] and assigns a machine role so that the computer will have basic network connectivity while at the logon screen and during the logon process.

 

Thanks everyone for the assistance!

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Trusted Contributor I

Re: Enforce Machine Authentication

Sorry, one more question...

 

The policy I created requires machine + user auth in order to enforce the authenticated role.  If the computer is on wireless for 24+ hours, will it maintain the authenticated role or will ClearPass deauth the computer because the machine auth caching (24 hours) has expired?  I'd like to know if I need to extend the length of machine caching so users don't have to reboot or hit the logon screen to machine auth every day.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Guru Elite

Re: Enforce Machine Authentication


@thecompnerd wrote:

Sorry, one more question...

 

The policy I created requires machine + user auth in order to enforce the authenticated role.  If the computer is on wireless for 24+ hours, will it maintain the authenticated role or will ClearPass deauth the computer because the machine auth caching (24 hours) has expired?  I'd like to know if I need to extend the length of machine caching so users don't have to reboot or hit the logon screen to machine auth every day.


The machine authenticated timer resets itself every time that device authenticates, whether it is machine or user.  If a user is on for less 24 hours, it will  mark itself as machine authenticated every time the user authenticates successfully to cppm, and the timer is then reset.  It does not require a machine authentication past the initial machine auth.  If it does not authenticate, period for 24 hours, it needs to machine authenticate all over again.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
New Contributor

Re: Enforce Machine Authentication

So the machine auth timer within clearpass is reset as long as the user is logged into the machine and using the wireless network?  Where can you see the list of authenticated machines?

Highlighted
Guru Elite

Re: Enforce Machine Authentication

It is reset to the machine authentication cache everytime the device authenticates, whether it be user or machine.  Assuming the user is logged into the machine, presumably the device periodically authenticates and resets the cache timer.

 

There is no way to see the cached devices.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: