Security

Dear Community,

I'd like your help with a questions.

Scenario:

ClearPass(CPPM only)+S1500+IAP205

When the user is on LAN, user+machine auth works. The problem is, that when the user pulls out the cable and connects to the wifi, no machine is made, unless the user logs off and in again.

In BIOS is defined not to allow both LAN and WLAN at the same time.

Target:

User+machine auth when changing from LAN to WLAN, WITHOUT user interaction.

Is this possible?

Thank you all.

WLAN and Wired have different mac addresses, is why you have the problem.  There is no way to tie both together, so the machine authentication of each medium would have to be done individually, which is cumbersome.  If you configured machine-only authentication for those devices, you would sidestep that issue, because the devices would do machine authentication every time.  The user would still need valid credentials to get into the machine, but the user would not be authenticating to the wireless; an authorized machine would be...

Hi,

is this the same if we use EAP-TLS, so certificates?

Thank you.

---

balazsracz@biztributor wrote:

Hi,

 

is this the same if we use EAP-TLS, so certificates?

 

Thank you.

---

You can use machine-only  (Computer Only) authentication with either PEAP (username and password) or EAP-TLS (certificates).  In the PEAP scenario, the machine uses its hostname as a username and its SID (security identifier) as a password.  On Windows you can configure machine-only authentication under Advanced Settings and IEEE or using group policy.  You would then have the option to use PEAP or EAP-TLS (Certificate or SmartCard).

Your only other option (although not as secure) is to import all of the MAC addresses of your devices and flag them with a custom attribute that can be used during a policy decision.

EDIT:already answered