Security

Reply
New Contributor

Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

We are using VIA  (v3.2) for remote access on Windows 10 laptops.  We authenticate using User certificates which is working fine.

 

We have configured domain pre-connect on the VIA client profile so that Users of the VPN can log off and change passwords etc.

 

The problem is that when Clearpass authenticates the Machine cert. against AD it drops the host/ from the front of the machine name.  It appears AD then tries to authenticate the laptop as a user and the authentication fails.

There is also an automatic TIPS role of [User Authenticated] generated.

 

Using the same machine cert on a WiFi or Wired (both 802.1x) connection Clearpass asks AD to authenticate with the host/ prefix intact and a TIPS role of [Machine Authentication].  This authenticates correctly.

 

Has anyone any idea why we lose the prefix using VIA.

Guru Elite

Re: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

In the service used to authenticate VIA, under the authentication tab, do you have "strip username" rules enabled?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

The host/ prefix is appended by the Windows 802.1X supplicant only.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

We do strip everything the @companyname.com from the users.  The machine names don't have the @.

New Contributor

Re: Machine auth using VIA and CPPM drops the host/ prefix when authenticating to AD

I think I'm missing something fundemental here.  Do you know how the TIPS Roles are determined as User or Machine.  I thought this was from the certificate contents.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: