Security

I'm looking for some help on setting up machine authentication.

We are upgrading our wireless network. Our current setup does not enforce machine authentication. We would like to enable this on our new setup. In testing, we can get machine authentication to work with the following steps:

1. User logs on to Windows at ctrl-alt-del screen
2. Computer is authenticated
3. User connects to wireless ssid
4. User can browse network resources

With these steps, the computer must already be connected to the wireless network prior to step 1, otherwise machine authentication does not kick in and when the user connects to the wireless network, they are placed in the auth role and cannot access network resources. Is this the way machine authentication should work?

The issue we have is that users will frequently have the wireless adapter disabled, especially if they are in an office and use a wired connection instead of the wireless. They will then go to another office or in to a meeting room and use the wireless network. They will then logon to Windows with cached credentials and then connect to the wireless network. As we do not have machine authentication this works.

How would we achieve machine authentication in this scenario? Is it possible? Is there another method to prevent non-domain computers to connect to our wireless network?

What are you using to enforce the machine authentication?  

We are using IAS for our authentication. It checks the computer is a member of the "Domain Computers" group.

The machine auth kicks in only when there is a logout/login or restart. 

In normal scenario if the client boots up and does the achine auth, the controller will cache the machine info for 24 hrs. so when ever he does user w/l reauth or sleep or hybernate, the cache info will kickin and authenticates the user. 

when they just enable the w/l nic, the machine auth will not be iniciated by the clients, so clients will only pass the user auth and fall into "machine auth- user role" not dot1x default role. 

One way you should be able to prevent non-domain computers to connect to your wireless network is by using Certificates for 802.1x authentication.

To do this you would need a Certificate Authority Server if you don't already have one (MS-Server OS can do this for example).

Then you need to distribute the certificates to every domain computer by using GPO or something else.

In the Aruba Controller you would then set up your AAA profile for the ssid to use EAP-TLS for authentication.

Yes, using certificates is what we were thinking and that would be one to prevent other devices from connecting. Happy with that.

However, it does not solve the problem of connecting and authenticating to the wireless network after logging on to windows. Is this even possible?

roysm,

IAS cannot use both the Machine and User Authenticated status of a device to determine access.  It sees the user and the machine authentication as two separate distinct authentications and does not allow you to know or permit access based on both.

If you have to use IAS, the best thing you can do is use "Enforce Machine Authentication" in ArubaOS.  It will allow you selective control based on (1) a user passing authentication (2) a machine passing authentication (3) both user and machine passing authentication.

Here is a KB article on how Machine Authentication works in principle:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-801

The Enforce Machine Authentication option is in the Advanced Tab of the 802.1x profile of your SSID.  Please search the ArubaOS user guide for "enforce" for the full explanation on how to use this.

I'd like hang in on this topic:

Our customer is using MS Radius (NAP Server 2008) for AAA. They require authentication of domain machines (=machine authentication) as well as non-domain machines (i.e. mobile devices, linux desktops, etc.). Non-domain devices have been registered in their AD with the MAC address as username and password (= normal user accounts with dial in allow rights).

Now ,on connecting to the Aruba WLan the following should be processed:

• Domain User credentials correct and Domain Machine correct = authentication is passed. Then, if the machine is part of a certain windows group, VLAN X should be assigned, if not, VLAN Y should be applied
• if Domain User auth. fails and/or machine auth fails, the access to the WLAN should be blocked (so no access with private mobile devices to wireless). However, some mobile devices should get access (after registration via their MAC address)

I have tried to configure this with using "enforce machine authentication" to get the MS Radius to see the machine login as username/password with MAC of the device. However, as it seems, the controller never passes the machine credentials to the Radius but only tried to look it up in it's local database. Reading other posts here in the forumsI understand that this is the default behavior of the controller, looking for cached credentials of formerly successfully authenticated windows domain machines.

I was hoping that maybe there is a way to get the controller send the machines credentials to the Radius instead of looking in the local DB?

Ot the other way around: is there some way to configure the customers request with using the Aruba controller and MS Radius/NAP-Server?

TIA for comments/thoughts

Kind regards

Why bother with mac addresses?  Machine authentication is the most secure authentication possible because only the domain and the machine knows the credentials.  Adding mac addresses into it just complicates things.

Machine-Authentication =   * Dot1x-Authentication done using machine-credentials 

                                                    and its done  during pre-login (ex: client logs-off,restart and before client login to the system will

                                                    trigger machine-authentication " if " configured on the client).

                                                 * If Machine-auth is successful, AOS caches the credential of machine (MAC-Address of the client) to

                                                    local-userdb & machine-cache. client is placed in machine-role (configured in dot1x profile)

User-Dot1x-Authentication =   *  Dot1x-Authentication done when user logs in to the system

                                                      *  While doing user-dot1x-authentication, we check for the previous machine-authentication state by

                                                          querying machine-cache, and local-userdb (if machine-cache is expired). If found, we treat client

                                                          has passed machine-authentication earlier and honor the role or vlan derivation, else place 

                                                          the  client in machine-auth user-default-role (configured in dot1x profile).

Increasing the machine-cache timeout to larger value prevents the domain-client for doing machine-auth frequently by logoff / restart everytime ; and prevents the non-domain clients getting into reserved user-role / vlan.

Shabaresha.h, I was reading your post below and have a question. We are doing a laptop rollout and would like to be able to test all the laptops to make sure they can log in and see their network drives. We would like the laptops to be able to automatically log in and map the users network drives when they are in range of our SSID. Is this possible since it's the IS team and not the user's that will initally log in and join the laptops to the domain.

So in short we would like the laptops to authenticate automatically to the SSID and map the users drives. We are using Microsoft AD

Thanks