Security

Hi,

 

I have an Instant AP 205 as NAD and ClearPass as radius server. I have created WLAN with 802.1X PEAP Authentication. When I connect my domain PC it is connecting and everything working fine.

 

The problem is when I connect a non-domain laptop or mobile phone to the same PEAP-WLAN, they are also able to connect. I want only domain laptops to connect to the WLAN.

 

Is there a way we can force the only machine authenticated devices can go to user authentication and connect to the WLAN?

 

When I connect my mobile, what is happening is it is connecting through User authentication, so if I log in with a domain username and password it is connecting.

 

Is there a way to restrict only the domain pc's to connect to the network on 802.1X PEAP enabled WLAN using ClearPass and IAP?

 

I have already enabled enforce machine authentication on IAP but it didn't work.

 

I am attaching relevant screenshots below. I am primarily from Cisco background and In Cisco ISE in policy sets, we could set that only machine-authenticated device can go to the next step. Is there something similar in ClearPass?

 

Kindly help me to identify where did I made the mistake.

 

Thank You.

https://community.arubanetworks.com/t5/Security/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471



Thank you

Victor Fabian

Pardon typos sent from Mobile

What does access tracker show for user that's not supposed to be allowed but is?

Hi Victor,

 

Thank you so much for your support and it does worked.

 

I have few questions just to clear things since im new to clearpass:

 

1) In step 4 we are creating a role 'Top-Domain-Device' to tie to the Endpoint Attirubte. What is the use of it?

 

2) Under Step 5a, on line 12 the role is given as 'ToP-Machine-Auth'. Is this separate role?what is the purpose of it?

 

Sorry if those are stupid questions. I didnt get the logic of above 2.

 

Cheers,

 

Janish

This is use primarily because the [Machine Authenticated} Tips roles is cached (The default cache timeout is 24 hours can you increase up to 1000 hours) and in the event the user logs in without performing a machine authentication and the machine authenticated cache expires then the logic won’t work , the attribute helps you with that scenario.
Sent from Mail for Windows 10

But you could argue it can be a security risk if the machine is not longer in the domain

Sent from Mail for Windows 10

Thanks for your quick feedback.

 

Just to make clear things up how exactly does it help in that scenario when user try to login to a pc whose machine authentication cache has expired.

 

Also I'm attaching the 802.1X service which i created without any kind of role mapping. Without the role mapping my objective is still met which is non-domain devices cannot join the network.

 

What is the drawback of creating service without role mapping as I have done?

 

Can you please look at the service i created let me know if there is any problem because I need to make sure everything is okay before going into production.