Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Occasional Contributor II

Re: Machine Authentication

If you are asking if the termination check box is checked, then yes and I can authenticate my user account, but the computer account is being denied by NPS.  I have found numerous google kungfoo on this and tried everything for hours. 

 

Again, user = ok ; computer account making it to NPS server, but being denied.  I have hadded doma\domain computers to the policy...

Moderator

Re: Machine Authentication

You cannot use Machine Authentication with EAP termination. You need to terminate EAP sessions on your RADIUS server.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Occasional Contributor II

Re: Machine Authentication

Tim, So now a bit confused with the last statement.  With the termination box checked, does that forward the incoming authentication to the NPS box?  Also, if I can't do this, then how do I have USER auth and MACHINE auth in differnte profiles??

 

I thought that the machine account would get forwarded from the controller, just as the user, to the NPS box.  However, teh controller will "cache" the machine account for auth purposes and then cache it out..

 

Highlighted
Moderator

Re: Machine Authentication

If you want to use machine authentication, you'll need to disable termination on the controller.

 

Do you have an Aruba partner? There are some things you need to consider when switching to RADIUS server termination. 



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Machine Authentication

I got it - unchecked the termination box and then fixed NPS for auth method.  Thanks for your help!

 

 

Highlighted
Frequent Contributor I

Re: Machine Authentication

Hi Cappalli,

If we use EAP-TLS with Radius authentication returning VLAN, may we disable the "machine-authentication"?

The Aruba partner did this configuration since the initial instalation but I think we don't need this.

Thank you.

zemarcio

Highlighted
MVP Guru

Re: Machine Authentication

You can configure 802.1x for both user and machine authentication . This hightens the authentication process further, since both the device and user need to be authenticated. Do you require machine authentication in your enviroment? Essentially a particular role can be assigned based on whether the machine passes authentication. However is there is a server-derived role, the server-derived role takes precedence.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Moderator

Re: Machine Authentication

Yes, you can use EAP-TLS.


Thanks,
Tim


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: