Security

Reply
Occasional Contributor II

Machine Authentication with VLAN CoA

I have a customer that is looking to reverse the machine/user authentication process.

 

1.) machine authentication occurs at reboot/login and CoA is pushed from ClearPass for a particular VLAN


2.) user authentication then occurs but only as a validation that that the user is part of AD, no additional enforcement is expected

 

This seems like a simple configuration but I cannot seem to figure it out. Is there a way to configure a machine authentication policy with VLAN enforcement without adding the user authentication?

Thank you for your time and assistance.

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Guru Elite

Re: Machine Authentication with VLAN CoA

Is the machine authentication VLAN going to be the same as the user authentication VLAN?  If yes, why even bother with COA?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Machine Authentication with VLAN CoA

The customer wants the VLAN follow the machine around only.  The user authentication would only be a validation but would not perform a CoA.  A user does not belong to a specific department so they should be able to authenticate to the machine regardless of which network it belongs to.  Does that make sense?

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Guru Elite

Re: Machine Authentication with VLAN CoA

Is this wired or wireless connectivity?

 

Changing VLANs between user and machine authentication many times breaks domain connectivity and can interrupt normal function like login scripts from running.  It should not be done in most circumstances.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Machine Authentication with VLAN CoA

This is wired connectivity.  They are special machines that they want to have plugged in and immediately be part of a specific VLAN without any user interaction.  I was hoping there was some operation with machine authentication only that would support this.  I am not looking to have the user authentication change the VLAN again, only to log the user in.  The machine would remain in the original VLAN that was set when the machine OU was read from ClearPass.

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Guru Elite

Re: Machine Authentication with VLAN CoA

So you should have the machine configured for machine authentication only.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Machine Authentication with VLAN CoA

So with machine authentication only on the client, that will trigger ClearPass to perform a VLAN change for the device once plugged in (without a user authentication)?

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Guru Elite

Re: Machine Authentication with VLAN CoA

You of course have to write an enforcement policy that determines if it is an incoming machine authentication and then send back and enforcement profile with a radius attribute that sends the VLAN back to the switch.  You have the option of looking to see if the device authenticating is in a certain device AD group and then sending back an enforcement profile with the radius attribute that your switch uses to determine the vlan.

An example of how you would do this with a  Cisco switch is here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TechNote-v1-2-Cisco-Switch-Setup-with-ClearPass-Policy-Manager/ta-p/70722


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Machine Authentication with VLAN CoA

Thank you for your replies.  As you suggested, the only way to get this working the way the customer wanted was to perform "computer authentication" only from the Windows supplicant.  Since user and machine authentication appear as two separate entries that hit the same service policy, we had to find a way to just ignore the user auth.  Of course this limits the visibility in ClearPass but the customer was not concerned with this.

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: