Occasional Contributor I

User and Machine Authentication



I'm currently working on setting up user and machine authentication for a customer following this post:


I'm confused with some of the components that are mentioned which I can't find in the documentation:


  • What is the logic behind CPPM assigning [Machine Authenticated ] and [User Authenticated] roles? What does CPPM check and how does it decide to assign these roles in an incoming RADIUS request?
Guru Elite

Re: User and Machine Authentication

The [Machine Authentication] role is pre-defined and will be mapped when a
computer account successfully authenticates to the domain.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: User and Machine Authentication

Thanks Cappalli,


I'm also trying to understand the enforcement profile which checks for both [machinie auth] and [user auth] roles to be assigned to the requests. I've tested this with domain/useraccount and it works OK (I can see both roles assigned in access tracker), I just don't understand how this works. Shouldn't the [user authenticated] role be returned by itself when user credenitals are authenticated to the domain? Why is the [machine auth] role also returned?

Guru Elite

Re: User and Machine Authentication

The [user authenticated] built-in role is returned when the current authentication being handled is passed.  [Machine Authenticated] is also returned if a device with the same mac address passed machine authentication within the "Machine Authentication Cache Timeout Period" shown below (24 hours).  Another wrinkle to this is that every time a device that has passed machine authentication passes user authentication, the cache is reset to another 24 hours or whatever the parameter is below:

Screenshot 2016-12-13 at 23.53.57.png

You can test this by clearing the machine authentication cache to reset all devices:

Screenshot 2016-12-13 at 23.55.53.png


To recap and in more detail:

Domain machines attempt machine authentication with a username of host/<machine fqdn>.  If clearpass sees a device pass authentication with that username it assumes it is a domain machine that has authenticated and adds the mac address of that device to the machine authentication cache for 24 hours or whatever that parameter is.  It also returns the built-in role of [machine authenticated].  If a user on that machine authenticates successfully via 802.1x, clearpass returns [user authenticated] and [machine authenticated] if it is within that 24 hours, every time that user authenticates.  Every time a user successfuly authenticates on a machine that is in the machine authentication cache, the 24 hours is extended.


It is designed this way, because by default machines only machine authenticate when they are at the ctrl-alt-delete prompt and logged out.  It is possible that a user locks his machine, and comes back 36 hours later the machine will be removed from the cache and the next user authentication will no longer have the [machine authenticated] role, because it expired.  Extending the cache for any successful 802.1x authentication with that mac address eliminates the need for a user to reboot his computer just to reflect that it is a domain machine..


I hope that helps...

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: