Security

In the course of our 802.1x deployment, we have found that we need to account for the ability for users to authenticate to a system they have never used before, meaning they do not have a local profile.  To do this, we have implemented an unauthenticated VLAN that Windows systems will be a part of, which will be replaced by the roles that are handed back upon successful Active Directory authentication.  But, the issue we are seeing is that the MAC address is constantly being passed to CPPM, sometimes multiple times in a 1 minute period (just looked at one sequence, 35 times in one minute).

Is this an effect of Windows trying to authenticate the systm onto the network, or maybe the Aruba 2920 switch configuration missing something that would prevent this from happening?

Are these managed devices?

 wrote:

Are these managed devices?

---

Managed in what way?  The Windows workstations, or the switches that they are connected to?

Ahh, got it.  Yes, they are managed by GPO, as well as the 802.1x configuration being pushed out to the workstations via LANDesk and a known good XML netsh lan export.

Also, for a full picture, the CPPM cluster we have in place is 6.6.8, with Aruba 2920 switches running WB.16.03.

Is the supplicant configured for Computer + User?

Also, I would highly recommend that you use Group Policy to enforce the supplicant config over third party tools.

Hi,

Which Windows version? I have seen Microsoft doing freaky stuff on the IP stack/Ethernet side. 

did you have wireless enabled on the windows machines?

Hi Frank,

This is Win10, and there are no wireless NICs installed.  Didn't know about the issues seen in Windows until I started digging into this issue today.  Nice to know.

No, the context is switched during the logon process, however if there is any chance that different users will be logging into the machine at any point in time, you'll need to switch over to PEAPv0/EAP-MSCHAPv2.

Excellent news.  Frank, Tim, thanks for the help.  It looks like i'll have to get the ClearPass Solution Guide that is more specific to 6.6.x rather than 6.7.x, but I can't imagine that The Google can't help with that one.

Nothing has changed for this workflow between 6.6 and 6.7. The Solution Guides are not tied to a release version.

Even better, than.  Time for some light reading!

The configuration is for user only, utilizing the user certificate that is generate for each user.  

Didn't realize that the NIC configuration could be pushed via GPO.  I'll have to look into that one.

Hi Eric,

be carefull with Windows 10 and updates. We have had issues from the last two big updates from Windows that the settings pushed by GPO (EAP-TLS with cert.) was changed. It was defaulted to eap-peap and the settings weren't lock anymore.

Hope this helps

In order to do what you're trying to do, you'd have to use Computer + User.

Also, please follow the ClearPass Solution Guide for Wired Policy Enforcement for validated switch and ClearPass configurations.

Won't the computer cert take precedence over the user cert in the uathentication process, though?

Hi Eric,

Nope, if setup correctly in ClearPass you can use the user cert when the user is logged in and use the machine cert is the user is not logged in.

Hope it helps.