Security

Reply
Occasional Contributor II

Re: Machine Authentication

If you are asking if the termination check box is checked, then yes and I can authenticate my user account, but the computer account is being denied by NPS.  I have found numerous google kungfoo on this and tried everything for hours. 

 

Again, user = ok ; computer account making it to NPS server, but being denied.  I have hadded doma\domain computers to the policy...

Guru Elite

Re: Machine Authentication

You cannot use Machine Authentication with EAP termination. You need to terminate EAP sessions on your RADIUS server.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Machine Authentication

Tim, So now a bit confused with the last statement.  With the termination box checked, does that forward the incoming authentication to the NPS box?  Also, if I can't do this, then how do I have USER auth and MACHINE auth in differnte profiles??

 

I thought that the machine account would get forwarded from the controller, just as the user, to the NPS box.  However, teh controller will "cache" the machine account for auth purposes and then cache it out..

 

Guru Elite

Re: Machine Authentication

If you want to use machine authentication, you'll need to disable termination on the controller.

 

Do you have an Aruba partner? There are some things you need to consider when switching to RADIUS server termination. 


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Machine Authentication

I got it - unchecked the termination box and then fixed NPS for auth method.  Thanks for your help!

 

 

Frequent Contributor I

Re: Machine Authentication

Hi Cappalli,

If we use EAP-TLS with Radius authentication returning VLAN, may we disable the "machine-authentication"?

The Aruba partner did this configuration since the initial instalation but I think we don't need this.

Thank you.

zemarcio

Highlighted
MVP Guru

Re: Machine Authentication

You can configure 802.1x for both user and machine authentication . This hightens the authentication process further, since both the device and user need to be authenticated. Do you require machine authentication in your enviroment? Essentially a particular role can be assigned based on whether the machine passes authentication. However is there is a server-derived role, the server-derived role takes precedence.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Guru Elite

Re: Machine Authentication

Yes, you can use EAP-TLS.


Thanks,
Tim

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: