Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

NPS policy question. Require user to be on domain computer.

This thread has been viewed 3 times

  • 1.  NPS policy question. Require user to be on domain computer.

    Posted Feb 03, 2013 11:09 AM

    Is it possible to create a radius rule that requires a user to be in a security group and be using a domain joined computer. 

    I created a policy that contains the security group the user is in and I added the computer group "Domain Computers" but this does not work. Security logs show the users is not matching any network policies. 

    My WiFi policy on the client machine is set o use user or computer authentication. I am running an Aruba 3400, windows 2K8 R2 NPS. 

     

    Thanks

    Wayne B. 


    #3400


  • 2.  RE: NPS policy question. Require user to be on domain computer.

    EMPLOYEE
    Posted Feb 03, 2013 11:23 AM

    It is not possible in NPS.  The problem is NPS only acts on the current authentication (user) and not the status of the device that the user is authenticating from (Is this device part of the domain or has it authenticated as a machine in the past?).  Other Radius platforms like ClearPass Policy Manager allow you to do this.

     

    As an alternative, you can use "Enforce Machine Authentication" on the controller to solve part of your issue:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-801



  • 3.  RE: NPS policy question. Require user to be on domain computer.

    Posted Sep 07, 2017 10:31 AM

    How are we supposed to do this with CPPM without machine enforcement?

     

    I can only think of allowing user authentication, then use the profiler option that would test with WMI if the machine belongs to the domain and cast the new role.

     

    Or run machine authentication then use the NAC agent in auth mode to authenticate the user afterwards and change the role.

     

    Is there a better way? I am facing the same NPS issue here and we are trying to sell the CPPM option.



  • 4.  RE: NPS policy question. Require user to be on domain computer.

    EMPLOYEE
    Posted Sep 07, 2017 10:33 AM

    This is only possible when combining Computer + User authentication in the supplicant.

     

    The other alternative would be machine certificates.



  • 5.  RE: NPS policy question. Require user to be on domain computer.

    Posted Sep 07, 2017 10:58 AM

    Excuse me for my lack of understanding, but, what do you mean by machine certificates? Deploy certs to do EAP-TTLS authenticating the machine wioth the cert then the user with the inner method? If his is the case, it won't do since I have Windows 7 machines too that do not support EAP-TTLS out of the box (W8+ do).

     

    Also, do you think my two previous proposals (WMI profiling or NAC based for double auth) could work or are just wishful thinking?

     

    Sorry, I always had so many questions on this matter. It would be awesome if you could write one of those master pieces you do on this topic of customers wanting to restrict access to network both machine and user using standard Windows supplicant (shameless request for your spare time to be wasted on our problems).

     

    [EDITED] I think I messed up with my EAP-TTLS concepts. No machine certs for EAP-TTLS I believe. Reading throught the RFC now to learn (https://tools.ietf.org/html/rfc5281). Still confused on the machine certs.