Security

Reply
Highlighted
Occasional Contributor II

Not getting [Machine Authenticated] Role

Hi there,

 

I have a few issue and hope one of you guys could guide me. I have setup a lab and to start with I have setup a basic MAC Auth service along with web auth for captive portal redirect.

 

1. In access tracker, I do not see Machine Authenticated role for the request even after logg off-log on and restart pc. This is a domain PC. I only see user authenticated role. What could be the issue here? I have attached the input from auth request.

 

2. The web portal redirect is not working. The mac auth sends a profile to redirect to captive portal but it doesnt happen. When I do the manual web auth, it hits the web auth service but again when web auth sends a radius COA, it doesnt hit back to MAC auth to get the guest profile and gets stuck in mac auth. In login page, I have tried both Cisco and captive portal with clearpass in vendor settings, both with same result.

 

I am not sure if my ACL is wrong or it has something to do with my Cisco switch running 15.2. attached is switch configuration and access tracker outputs.

 

Thanks,


Accepted Solutions
Guru Elite

Re: Not getting [Machine Authenticated] Role

If you haven't enabled 802.1x, you cannot get the machine authenticated role.  The machine authenticated role appears when a devices authenticates with a host/<machine name> username.  There is no other way to know if a device has machine authenticated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN

View solution in original post


All Replies
Highlighted
Occasional Contributor II

Re: Not getting [Machine Authenticated] Role

For the record, I have not enabled 802.1x as I am testing only mac auth. The idea is to give allow access profile for machine authenticated role and guest profile through captive portal redirect for non domain PC

Guru Elite

Re: Not getting [Machine Authenticated] Role

If you haven't enabled 802.1x, you cannot get the machine authenticated role.  The machine authenticated role appears when a devices authenticates with a host/<machine name> username.  There is no other way to know if a device has machine authenticated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN

View solution in original post

Highlighted
Occasional Contributor II

Re: Not getting [Machine Authenticated] Role

Dear Cjoseph,

 

Thanks for the reply. I enabled dot1x on my laptop. I see machine authentication request hitting clearpass but its getting rejected. Still its getting mac authenticated by mac address as user name so it gets user authenticated but no machine authenticated role.

 

Do I need to create a service for 802.1x wired for getting machine authenticated role? MAC Auth alone doesnt support this? 

Highlighted
Guru Elite

Re: Not getting [Machine Authenticated] Role

It looks like you do not have a service setup to handle 802.1x authentication. Have you seen the ClearPass wired policy enforcement technote here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx  ?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
Occasional Contributor II

Re: Not getting [Machine Authenticated] Role

Yes I have read the document.

 

I have not setup the 802.1x service yet. As I told as of now I am only testing mac auth and captive portal redirect for guests.

 

I was actually troubleshooting for captive portal redirect issue when I came across this machine authentication role not being fetched. For this particular problem, just for my knowledge I want to know if machine authentication role can be fetched using mac auth only? Or it can only be done through dot1x service? 


@cjoseph wrote:

It looks like you do not have a service setup to handle 802.1x authentication. Have you seen the ClearPass wired policy enforcement technote here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx  ?


 

Highlighted
Guru Elite

Re: Not getting [Machine Authenticated] Role

For a device to be classified as machine authenticated, it must successfully authenticate via 802.1x with a username of host/<machine name>.  It does not work for mac authentication.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
Occasional Contributor II

Re: Not getting [Machine Authenticated] Role

Thanks man. Got it.

 

Could you please look my switch configuration and clearpass config screenshots to guide me why the redirect is not working? Clearpass sends the redirect profile to switch but nothing happens...PC gets normal network access...

 

When I manually do the web authentication, it works fine and hits the web auth service that I created. I have followed all guides and discussion here but dont seem to resolve this issue.

Highlighted
Occasional Contributor II

Re: Not getting [Machine Authenticated] Role

For the Cisco switch, you need an SVI to be on the same subnet as the Clearpass server, which in your case is on 192.168.1.x

The web-redirect won't work over L3.
Highlighted
Occasional Contributor II

Re: Not getting [Machine Authenticated] Role

I have interface vlan 1 in that range with ip 192.168.1.11. Before it was through dhcp but now I made it static.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: