Security

There's no way to pass both a User and a Computer Authorization Attribute to Microsoft AD ?

In wireless SSID configuration under Microsoft Windows under Advanced 801.x settings, I can see 'User OR Computer'.  But I can't send both can I ?

 

 

The goal is to have both a valid User AND (Logic AND) a valid Computer object/hostname be sitting in Microsoft AD to eventuate rule matching of an enforcement policy, and thus an Allow Enforcement Profile.

I guess i'm trying to see if I can get computer auth attributes AND user auth attributes out of a Microsoft supplicant to vet on... is my question...

The Microsoft client will only let you send one set of credentials at a time.  You cannot send both.

Agree.. the supplicant will only do one at a time.

But, with something like this, http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471, and having the device machine auth first, and then following up with a user auth next, and writing the dNSHostName to Endpoint local SQL DB, and then SQL querying it (comment from Tim Cappalli (http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/m-p/255073#M23954) in the next part/user auth part.. I could essentially get what I want.. no ?

Machine Auth first, User Auth followup.

But, what are you trying to accomplish?  The machine authentication state should be cached for 24 hours by default, so you can use the role [Machine Authenticated] to determine if a machine has already authenticated when processing a user authentication.

To be clear, when you set the Microsoft 802.1x client to use "user or computer authentication", it will machine authenticate when:

 

- The user logs off of their computer or

- The machine boots up at the ctrl-alt-delete prompt

 

This means, when the machine boots up and successfully machine authenticates, it will have have the [Machine Authenticated] role.  That built-in role will be cached for 24 hours.  When the user attempts to login after, the user's authentication will also have the [Machine Authenticated] role which you can use to make policy decisions.  Whenever the user successfully authenticates, the Machine Authenticated cache is reset, so CPPM will remember the machine authenticated state, even if the machine authentication does not happen at the CTRL-ALT-DELETE screen, because the cache is renewed whenever there is a successful user authentication.

 

Long story short, use the [Machine Authenticated] role to determine if a user is authenticating on a machine that has already successfully machine authenticated.

Ok.. and not being personally super proficient in Microsoft AD services, I presume an LDAP object type of 'computer' is only present in the forest if a machine successfully authenticates ?

Thus, yes this built in role will satisfy my requirements as it seems..

Agree ?

An AD account of type "Computer" is created whenever a workstation joins the domain.  That is the same account that a machine authenticates to, when it is wired, to get its policy from the domain.  If that account is disabled, the machine loses access to the domain.  You will see the username as "hostname/<name of host>" in ClearPass when the device authenticates.  When ClearPass sees the "hostname/" portion, it knows that a device is attempting to machine authenticate.  When it is successful, it sets the [Machine Authenticated] role for that device.  If a user or machine successfully authenticates for the same device, the cache is reset for 24 hours by default.

What about if that object is not disabled or deleted.  And is existing. And CP is brought into the picture, and the device has PEAP entered into a wireless profile and CP Access Tracker.. quite sure.. never sees a machine authentication.. it just sees user authentication hitting it.

I want to be able to logic AND a device that has prior machine authenticated and is now trying to user authenticate.

It sounds like, CP needs to see a computer authentication FIRST.

Which means an Enforcement Policy rule condition set of,

 

(Authentication:Source  EQUALS  *customerAD*)
 AND  (Authorization:*customer AD*:UserDN  EXISTS   )
 AND  (Tips:Role  EQUALS  [Machine Authenticated]) hits action of [Allow Access Profile]

 

will not allow this machine to machine authenticate for the first time... because it needs to satisfy all those 3 conditions.

I'll need a proceeding service to catch a machine auth FIRST, allow it, to cache it and fill the TIPS built in role, and then a service to throw the enforcement policy i've built above as the next one down.  Correct ?

Bumping this.. to get the last part answered.  :)

A domain laptop will attempt to machine authenticate when it is at the ctrl alt delete screen even before the user logs in. Clear pass will cache the machine authentication status of a device by setting a role of [Machine Authenticated]. You can find out of a device has passed machine authentication. By looking for that role in ClearPass. You do not need to look for anything in AD.

---

@cjoseph wrote:
A domain laptop will attempt to machine authenticate when it is at the ctrl alt delete screen even before the user logs in. Clear pass will cache the machine authentication status ...

---

And this includes wireless.. not just wired ?

And I don't need to orient a service to catch and fill this internal TIPS: role of [Machine Authentication] separately from the rest of my service architecture..

I can just start going ahead using it in my rules right from the get go ?

Wired is different from wired, so you will need a different service to handle a wired connection. You can just start using the machine authenticate role in your rules, yes.

Correct.. Stands to reason.

 

Appreciate all the help.

As long as Microsoft Windows workstations will pass machine auth to BOTH wired and wireless networks during this CTRL+ALT+DEL phase (aka symmetrical behaviour).. then I'm fine... I'll have that internal role pre-filled.. and can pivot off that in rules.

I don't know if they do that at the same time.  The wired and wireless mac addresses are different, so the wired mac and wireless mac are seen as two different devices by CPPM.  I would stick to getting only one interface working with machine authentication first...

lol.. we're taking steps back again..

This is all in order to orient rule condition of an enforcement policy for wireless service.  Not wired.

I need to logic AND,

AD user auth + Machine auth for a wireless service.

 

If Microsoft Windows default behaviour is to only fire off a machine auth on log off, and CTRL+ALT+DEL, for wired.. then none of this helps for wireless...

Id need to get a NAD registered and hook into switches .. just to get a machine auth .. for wired.. only in order to fill the internal role with a cached machine auth ? Essentially ?

The computer also does a machine auth on wireless at the ctrl-alt-delete screen....

 

Again, since you are just starting out with the design, I suggest you either focus on only wired OR wireless at a time, because they need to be handled separately.

Wireless only for now.
Not just design. Having live RADIUS hit it.. and seeing varying results with respect to generation of Machine Auth.. so checking in with the team here to see scenario's/conditions from Microsoft perspective that precursors sending a Machine Authentication. I think we're there though... service and enf policy solid. Just need to ensure I get those machine auth's.. which is computer behaviour now. Thanks .. very much.

---

@cjoseph wrote:

... When it is successful, it sets the [Machine Authenticated] role for that device.  If a user or machine successfully authenticates for the same device, the cache is reset for 24 hours by default....

---

This is pretty much working.

The comment about the cache.

The way to fill the [Machine Authenticated] internal role is to fire a bootup or restart while the wireless NIC is firing on the SSID.. with the 'give me EAP creds' popup.

User auth's are implicitly firing all the time in a customer 'business as usual' scenario. 

But I worry machine auth's hitting wireless can not be so frequent.  I.e. If someone works from cable for a long period of time, they will never get a machine auth against wireless SSID.

I can think of scenario's where machine auth's will never hit wireless SSID (i.e. shutdowns/restarts/bootups can eventuate on cable, and then the user swaps/activity based works off docking station, or whatever, on the fly, and hits the SSID then).  And I worry about the cache expiring.

This can happen, no ?
Remembering user/machine auths are only flowing into clearpass over wireless....

Can a user auth success hit also refresh the cache of a machine auth ?

And vice versa ? off the same endpoint/mac address ?

The machine authentication cache is renewed every time a user or machine authenticates successfully.

Music to my ears. Brilliant. And thankyou.

The Microsoft client will only let you send one set of credentials at a time.  You cannot send both.