Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Is it possible to configure different auth methods for different type of device with same ssid?

This thread has been viewed 4 times

  • 1.  Is it possible to configure different auth methods for different type of device with same ssid?

    Posted Sep 12, 2018 04:15 AM

    Hi, we plan to configure one ssid with 802.1x auth on controller. and clearpass is radius with AD for different type type devices login. Please advise whether below configuration can be achieved or not. 

    1 SSID + 802.1x auth ---> clearpass --> Active directory ( user, computer, computer certificate). 

    a. user group 1 : use AD user account + computer id for auth

    b. user group 2: use AD user account + computer certificate ( maybe this one is not possible)

    c. user group 3 : use Ad computer certificate 

     

    Can we create 3 services on clearpass to authenticate above 3 user/device groups? Please advise, thanks in advance.

     



  • 2.  RE: Is it possible to configure different auth methods for different type of device with same ssid?

    EMPLOYEE
    Posted Sep 12, 2018 07:32 AM

    You are limited by:

     

    -  What you can configure on each client

    - Each cllient can only submit a single authentication method at the same time.

     

    Mobile devices cannot do machine authentication, so you might not be able to tell if you are to expect machine authentication later.

    On most windows machines you cannot configure a user and machine authentication for the same SSID, so that would be invalid.

     

    Either way, you need to understand what authentication methods your clients support AND that those methods are only provided one at a time, and you might not understand what authentication method occured first.

     



  • 3.  RE: Is it possible to configure different auth methods for different type of device with same ssid?

    Posted Sep 12, 2018 08:34 AM

    Thanks for your kind reply.  But based on the link below, it is possible to do user and machine authentication on same ssid.

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Best-practices-and-points-to-remember-while-deploying-user-and/ta-p/260781

    Please advise. Thanks. 



  • 4.  RE: Is it possible to configure different auth methods for different type of device with same ssid?

    EMPLOYEE
    Posted Sep 12, 2018 08:52 AM

    Yes,it is.



  • 5.  RE: Is it possible to configure different auth methods for different type of device with same ssid?

    Posted Sep 12, 2018 09:04 AM

    Thanks. So i need to create 3 services for below groups:

    user group1(laptop) :  AD user+machine 

    user group2(tablet):  AD user

    user group3 ( some machine) : AD certificate service

     

    is it correct? And use OS type or device type to distingue the user authentication request.  PLease advise. Thanks.



  • 6.  RE: Is it possible to configure different auth methods for different type of device with same ssid?

    EMPLOYEE
    Posted Sep 12, 2018 09:11 AM

    When a device first connects, the OS is not available, so that cannot be relied upon to authenticate clients that use a layer 2 method like 802.1x.  The OS still won't be available until the client gets an ip address, which happens AFTER successful 802.1x authentication.  I would not bother with making OS a factor in authentication.

     

    I personally think you are making things too complicated.

     

     



  • 7.  RE: Is it possible to configure different auth methods for different type of device with same ssid?
    Best Answer

    Posted Sep 12, 2018 09:24 AM

    Thanks a lot for your kind advice.  Have a good day!



  • 8.  RE: Is it possible to configure different auth methods for different type of device with same ssid?

    EMPLOYEE
    Posted Sep 12, 2018 03:59 PM

    You should really work with a partner.