Security

Reply
Guru Elite

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

No, there are no performance implications.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc


@go_buckeyes wrote:

Hi Tim,

I see the max value for the machine authentication timeout is 1000 hours (~41 days). We're currently manually setting endpoint attributes that are valid for 1 week but we'd like to extend that time. Is it very detrimental to Clearpass performance to increase the machine authentication timeout to something like 720 hours (30 days)? This would simplify administration if we could remove the workarounds we are doing to trust devices for longer than 24 hours. Thanks in advance!


Quite frankly, the machine authentication cache on ClearPass is reset every time a user or machine authentication occurs.  If a device machine authenticates successfuly, any time within the cache timeout that a user authenticates successfully resets the cache.  This means that after the initial authentication, any successful authentication for that mac address will reset the cache, not just a machine authentication.  You should not have the need to have a super-long cache, in that circumstance.

 

I was just told that this statement is not true...

This statement is true.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

Thanks Tim and Colin. Our main issue now is users that are docked/wired 95% of the time and only undock to go to a meeting (might happen say every 2 weeks). These people may never come into work and be at the logon screen when they're not on the wire. Our thinking and fear was that eventually they would undock to run to an important meeting but no longer be machine authenticated, therefore unable to authenticate successfully - causing frustration. The workaround we implemented (manually setting attributes and expiry times) works but feels kludgy. If we can set machine authentication to 30 days AND that machine authentication gets update everytime they user authenticate (assuming they're in the 30-day period) that sounds amazing.

 

I know how to clear the machine authentication cache via the GUI, however is there a way to view the cache for verification? Thanks again guys you have been very helpful (in this post and many others)!

Guru Elite

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

For those users, their Windows supplicant should be configured for Machine Authentication only.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

To be clear, this should be tested in the lab.  The only authentication that will be seen is the user's wireless machine authentication, so that should be allowed full access to the network.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

Thanks again, I have tested machine only authentication on a device that doesn't get the normal group policy and it authenticates and is allowed access as anticipated. However, I don't have buy-in to have separate wireless policies for different groups of domain devices. Unfortunately, the problems we face are not always technical in nature.

Highlighted
Occasional Contributor I

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

With the configuration of the Windows wireless "Security type:" is set to "WPA2-Enterprise".  Why is it not set to "802.1x"

 

 

 

 

Contributor I

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

Hi,

I tried this configuration for the machine and user authentication for wireless 802.1x authentication with ClearPass. It looks like somewhere I did the mistake in the configuration. Can you please look into the configuration which is attached and suggest to achieve both machine and user authentication. Is it required to enable enforce machine authentication on Aruba Controller. Please suggest.

Note: We deployed a group policy to manually connect the wireless network instead of auto-connect to the wireless network.

 

Thanks,

Yugandhar.

New Contributor

Re: How-to: Machine AND User Authentication in Windows with Clearpass october-mhc

This is the best guide on configuring ClearPass on the entire Aruba website. Straight forward and well explained. Great job!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: