Security

Reply
Occasional Contributor II

[User Authenticated] and [Machine Authenticated] roles

Hi: There are a number of roles that do not show up in the Roles tab, but are available when creating enforcement policies. Among these are [User Authenticated] and [Machine Authenticated].

 

I have not been able to find a description of these roles.

Can they be reliably used for enforcement? Is every authenticated user given the [User Authenticated] role? Is every AD member computer given the [Machine Authenticated] role? Any other gotcha's with these roles?

 

If I missed something in the CPPM user guide, please feel free to point me there.

Thanks!

 

Guru Elite

Re: [User Authenticated] and [Machine Authenticated] roles

Yes, they're built in, auto assigned roles.

User Authenticated will vary based on the type of authentication. When working with 802.1X, this means that a user account was authenticated.

[Machine Authenticated] will be mapped when a computer account authenticates against the domain successfully.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: [User Authenticated] and [Machine Authenticated] roles

Thanks, Tim.

Is this documented anywhere? I only see one reference to these roles in the User Guide, and that's in a chart in the enforcement policy simulation section.

Thanks.

Occasional Contributor II

Re: [User Authenticated] and [Machine Authenticated] roles

And I'm wondering about the use of the [User Authenticated] role.....

If we create a role called "financeMember" and map it via something like:

Authorization: domain.com AD:memberOf EQUALS finance

and then use that role in an enforcement policy.... do we also need to check for the [User Authenticated] role?

 

i.e.: if AD returns the group membership info, don't we know that the user is authenticated?

 

Thanks.

Guru Elite

Re: [User Authenticated] and [Machine Authenticated] roles

If a user is not authenticated or fails authentication, the role will not appear and enforcement policies will not be executed. You do not need to check for it.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: [User Authenticated] and [Machine Authenticated] roles

You need to configure the client for both.



When the machine boots up, it will machine authenticate. When the user logs
in, it will user authenticate. The Machine Authenticated token will be
cached and can be used to write a policy that says Machine + User do X.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: [User Authenticated] and [Machine Authenticated] roles

Tim, is there any way to force the user to authenticate with their username, instead of their machine name?

 

Saludos

Carlos Villanueva

Guru Elite

Re: [User Authenticated] and [Machine Authenticated] roles

You'd need to change the supplicant to use user authentication.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: [User Authenticated] and [Machine Authenticated] roles

Tim, is there any other way?, On the side of the Clearpass?, or is it the only option?

 

Saludos

Carlos Villanueva

Guru Elite

Re: [User Authenticated] and [Machine Authenticated] roles

No. It is the supplicant's decision.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: