Security

Hello. 

We have a problem at our company that we can't get our head around. 

We have Windows 10 machines with an Active Directory domain. The clients is connecting through cable, so no wireless in this thread. Tunneled-node is enabled and the Win10 clients authenticate via a device certificate that is pushed to every machine. When the authentication comes in, the certificate is compared using CPPM with AD connector and is assigned the appropriate VLAN and role for connectivity. This works perfectly. 

The computers also sends its own MAC-adress and this complicates things. In the authentication flow in CPPM we now see double authentication queries, one with the MAC only and one with the correct certificate. Usually, the MAC query is denied since this is not the way we want to authenticate the clients but now to the problem. 

We want to enable a Quarantine network that devices connect to when the certificate is not renewed a.k.a expired because clients have been on vacation with the computer turned off. 

The things we have done is that as soon as a client authenticate using its certificate, we save the endpoint in the CPPM database with the tag "Owner: OurCompany" and mark the client as "Known". We can then use these tags as a policy match to authenticate client using only their MAC-adress when the devices have an invalid och non-existing certificate. We then place these "zombie"-devices in the quarantine network that enabled strict access only to the AD and PKI infrastructure to renew their certificate. This also works as it should when a certificate is invalid. 

The problem with this is when a device have a working certificate. Now we get double successful authentications that puts the MAC-request in the quarantine VLAN (since the MAC is marked as our device and marked as "known") AND in their correct VLAN (since the device is prompting a correct certificate). 

We have seen that the request for the MAC can reach the CPPM before the certificate request and vice versa, so it seems like a random outcome. Some client get the right VLAN and some clients is in quarantine. 

Do you folks have a solution to this in any way?

Both authentications is showed in the picture below: 

The authentication result for the "802.1x Wired - V2" authentication is showed here: 

The authentication result for the "802.1x Wired MAC Auth - V3" authentication is showed here: 

Did you try change the order of rules, put .1x wired auth above mac auth rule and check the status.

Yes, we have the dot1x rule above the mac rule already, but the client is sending double authentications, that is the problem...

The client is not involved in MAC-based authorization. Your switch configuration determines port authentication order and priority.

We can't set any AAA configuration since we're using tunneled-node. We can't find any settings in the switch configuration for this at all since the switch is not included in the decisions of the authentication process. 

AAA is handled by the switch when using UBT.

I realise that I didn't wrote what type of tunneled-node we're using. 

We are using Per Port Tunneled-Node (PPTN), not PUTN so in this case we can't use any AAA command. 

Auth order cannot be controlled with PBT. Switch to UBT.