Security

Community,

I need assistance with setting up enforcing machine authentication. I have the following scenario:

WLAN name CDT-Red is set up as an 802.1x SSID, using RADIUS/PEAP for authentication. I have the Windows NPS RADIUS server set to use AD User groups to authenticate. When a user connects to the WLAN, it prompts for a username/password, if the user is in AD, it grants access and tunnels back a VLAN ID based on their group. 

I would like to add Machine Authentication to this scenario. However, when I check "Enforce Machine Authentication" in the 3200 WLC, I can no longer connect. In the Network Policies of the RADIUS server, i did add the "Domain Computers" group to the Conditions of that policy, but its still not working. Can anyone help me through the steps of getting this going? Thanks.

Please see this:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-is-machine-authentication-enforced-on-the-controller/ta-p/180972 

Colin,

Thank you for the quick response. The link was helpful but it doesnt completely answer my question. Im more or less looking for help on what settings specifically should I be setting on both the RADIUS server and the client to make this work? The link did lead to a possible WZC or GPO setting that may need to be made. 

Edit: Now that I think about it, I dont know if its possible to do what it is I want to do using plain old RADIUS aside from putting the actual computers into their respective AD groups. Im trying to accomplish the following:

-When a domain machine boots up, it will perform a machine auth to RADIUS so that the WLC can see that a machine auth has been performed that will satisfy the "enforce machine auth" requirement. RADIUS will be configured to only allow machine known in AD to auth.

-When the user logs in with their credentials, the user auth will take place and RADIUS will then authenticate them using their AD user account and password and depending on what AD group theyre in, they will get a specific VLAN assigned. This is already working by the way, just without the machine auth part. 

The goal is to allow only machines known to the domain to be able to connect to the 802.1x WLAN, but the issue is that the machine auth and the user auth are separate transactions so I cannot combine them into the same policy which prevents me from keeping non domain machines off the network. If the non domain machine doesnt match the first "Machine policy" the RADIUS will just move to the next policy in the list that matches only the user, and as long as the user has a valid username and password, their non domain machine will successfully connect. 

Would ClearPass help with this situation?

You would need clearpass to be able to join the logic between a machine authenticating and a user authenticating on the same machine, AND take action based on the result.  NPS cannot do this.