Security

Hi: There are a number of roles that do not show up in the Roles tab, but are available when creating enforcement policies. Among these are [User Authenticated] and [Machine Authenticated].

 

I have not been able to find a description of these roles.

Can they be reliably used for enforcement? Is every authenticated user given the [User Authenticated] role? Is every AD member computer given the [Machine Authenticated] role? Any other gotcha's with these roles?

 

If I missed something in the CPPM user guide, please feel free to point me there.

Thanks!

 

Yes, they're built in, auto assigned roles.

User Authenticated will vary based on the type of authentication. When working with 802.1X, this means that a user account was authenticated.

[Machine Authenticated] will be mapped when a computer account authenticates against the domain successfully.

Thanks, Tim.

Is this documented anywhere? I only see one reference to these roles in the User Guide, and that's in a chart in the enforcement policy simulation section.

Thanks.

And I'm wondering about the use of the [User Authenticated] role.....

If we create a role called "financeMember" and map it via something like:

Authorization: domain.com AD:memberOf EQUALS finance

and then use that role in an enforcement policy.... do we also need to check for the [User Authenticated] role?

 

i.e.: if AD returns the group membership info, don't we know that the user is authenticated?

 

Thanks.

If a user is not authenticated or fails authentication, the role will not appear and enforcement policies will not be executed. You do not need to check for it.

---

@cjoseph wrote:
If a user is not authenticated or fails authentication, the role will not appear and enforcement policies will not be executed. You do not need to check for it.

---

Hello

In line with what you say, how can I enforce a policy for unauthenticated machine or user?. If I need to accept authenticated machines but apply another behavior to unathenticated ones, how is this possible, if reject condition predominates before applying default condition/policy?

Hi,

Authentication failure predominates any radius based enforcements. So, it is not possible to apply any radius based enforcement for user/machine auth failures.

You may check from NAS end and see if you can apply different behaviour for unauthenticated users.
Ex: dot1x to MAB in wired network.

Ok, thanks

Finally, I've created two roles in access switches (authenticated and not authenticated), configured not authenticated as initial role with restricted VLAN and authenticated one with corporate user VLAN. I also configured CPPM to resend authenticated role to access switch, and apply VLAN changes from it. It works.

You need to configure the client for both.



When the machine boots up, it will machine authenticate. When the user logs
in, it will user authenticate. The Machine Authenticated token will be
cached and can be used to write a policy that says Machine + User do X.

Tim, is there any way to force the user to authenticate with their username, instead of their machine name?

 

Saludos

Carlos Villanueva

You'd need to change the supplicant to use user authentication.

Tim, is there any other way?, On the side of the Clearpass?, or is it the only option?

 

Saludos

Carlos Villanueva

No. It is the supplicant's decision.

Ok, thank you very much, my friend.

 

Saludos

Carlos Villanueva

Hello,

 

I don't understand how to works role [Machine Authenticated].

I use mac authentication.

 

I have one PC A in domain and I see in tracker access [Machine Authenticated] affect to this PC. No problem if PC is joined to domain.

 

Now i have another PC B not joined in domain but i have spoofed Mac address of PC A on the PC B. In access tracker I see role [Machine Authenticated] too. 

 

Why ? 

 

[Machine Authenticated] works just with a MAC address ?

 

Thanks

Hi,

[Machine Authenticated] role is cached based on Mac address.

You can derive additional conditions in your dot1x role-mapping/enforcement policy along with [Machine Authenticated] role to ensure the cached role is used appropriately.