Security

Dear Experts, 

 

I am trying to configure Machine authentication with User authentication. Please see below what i have achieved so far

 

Aruba Instant 8.3

 

1) Created 802.1x SSID and configured instant and CPPM accordingly

2) On windows 10 under 802.1x i selected user authentication only and authentication was successful, i got the required role etc

2) same windows 10 i selected computer authentication only and authentication was successful and got the required role etc

3) when i select user + computer authentication, it doesnt work. Nor my user nor my computer authenticates, any idea why? i have attached the snapshots of my roles, policies and access tracker result. 

 

My objective is simple for this case, i want the user to be authenticated and at the same time computer authenticated to receive role of IT.

I searched on this forum and found that wildcard cert is considered to be a culprit. In my case i am using wildcard certificate but please note that its working perfectly fine when i am doing either user OR computer authentication. This error is given only when i select "User and computer authentication" in windows 10 802.1x settings.

Sorry if it may seem like spamming. I am not validating server certificate in my wireless profile just for your information. Kindly advise where to look for the issue please

If you're not validating the EAP server certificate in production, all of your users should immediately change their password.

 

Regarding your initial issue, correct, wildcard certificates are not supported as an EAP server identity. Acquire a new certificate and properly configure a GPO and then retest.

Dear Tim,

Currently i am.testing this in my lab. As i mentioned, user OR computer
authentication is fine, its when i combine them i cant authenticate.
Secondly i have unchecked validate server certificate, so any idea whats
breaking it now?

Dear Tim, 

 

If wildcards are not accepted, then how come my user and computer authentications are working fine individually. The issue only arises when i combine them

They are not supported due to interoperability issues.

 

Please highlight what troubleshooting you have done or open a TAC case.

I got rid of wildcard certs. Can you help to share the sample config to achieve a simple task as below

 

If user's AD department is Marketing and also machine authentication is successful should receive Role X, where as if User's AD department is Finance and machine authentication is successful should receive Role Y. 

 

Normally the sample configuration i am seeing on internet are mostly calling for [User Authenticated] AND [Machine Authenticated], i am not sure how to assign different roles.

You can either write a rule directly in enforcement that checks group members and combine with [Machine Authenticated] or you can use role mapping.

Someone who hasnt done it before all this sounds very cryptic. We should
have a culture of writing small tutorials to help those who may not
understand the concepts that easily.

Machine authentication how to hasnt been updated since last 3-4 years, and
at that time idea was to create some attribute in endpoints.

I think we should have more of these tutorials, and Tim i appreciate you
dnt reply if you dnt have time to show some sample policies, please dnt
consider it ur duty to just reply and make no sense at all.

If you're not familiar with CPPM, I'd recommend you work with your Aruba Partner. This is not a replacement for partner services or Aruba TAC. Everything is best effort.

 

Tutorials are created by community members in their free time and cannot be "expected".

Dear Tim, forums are never expected to be replacement of professional services or TAC, but sometimes they do exceed expectations when it comes to community support. You dont have to look far away, just your neighbour and competitor Cisco. Look at their supportforums.cisco.com and you will know how eager everyone including Cisco employees and sometimes product managers are going off the way to support the posters regardless if they are customers, partners, SEs or merely a guy like me who wants to explore products in more detail. If Aruba hasnt provided any good resources that we can use for self study then the problem ilies with Aruba and their Clearpass TM team. The relevant team should spare their time to craft out more tutorials, self study guides to not only promote their products but increase overall comfort of the product which is clearly lacking. 

 

Simply saying what you have said is not enough. More work needs to be done on the guides etc to get other ppl quickly on board with your products. 

 

 

 

 

OK then. I will refrain from trying to assist you until I am sitting at my laptop and can set up an environment to mirror your ask and provide screenshots.

 

Apologies for trying to provide some form of basic assistance in real-time.

Thank you Tim for taking it positively. You are my senior and i always respect your expertise. 

 

 

Hi Ronin, I have learned alot of clearpass from the ABC networking video's on YouTube. Maybe you find them usefull as well.

100% Agreed. Videos by Herman are indispensable. I have learned alot from
them