Security

Hi:

I'm using CPPM with Aruba Controllers.

I need to setup a wireless workstation that can be used by multiple users. Both the computer and the users are members of the Windows domain.
This would typically be in a classroom situation, where different professors might come into the classroom to use the computer.

 

The problem is, that a user may have never logged into that computer, and so there's no cached profile.
That means the computer needs to have an IP address and be talking to domain controllers, even when it is logged out.
Is this possible?

 

I've got an enforcement profile that reads:

Tips:Role EQUALS [Machine Authenticated])
AND (Authorization:DomainName-AD:memberOf CONTAINS WirelessUser) --> staff-device-enf-prof

and that's working fine for AD users, who have logged into the machine previously.

 

The profile just before this one reads:
Tips:Role EQUALS [Machine Authenticated])
AND (Tips:Role NOT_EQUALS [User Authenticated]) --> domain-member-enf-prof

the domain-member-enf-prof has these attributes:

1. Radius:Aruba Aruba-User-Role = domain-member
2. Radius:Aruba Aruba-User-Vlan = 11

 

VLAN 11 is the correct vlan, but the machine does not appear to be connected, when the user is logged out (I can't ping it, RDP into it, etc.).

 

Do I also need to have the Controller's 'domain-member' role specify a VLAN, or do anything else? Right now, it's just blank, when I check it on the controller via the CLI.

 

I thought I would reach out, before I progressed much further on this, in the hopes that someone has been through this before.

 

Thanks,

Tony

 

Do you have the Wireless on that computer configured  to do User AND Computer Authentication?

 

Hi Colin:

Yes, I've tried various combinations of that setting with no luck.

Thanks,

Tony

---

@Tony1234 wrote:

Hi Colin:

Yes, I've tried various combinations of that setting with no luck.

Thanks,

Tony

---

Tony,

 

If I were you, I would remove all of the rules in ClearPass and allow any user or device with Valid credentials to authenticate, FIRST.  After you do that, when you observe BOTH users and machines authenticating, you can lock down the rules.  Configure your Windows clients like below to allow them to do user AND machine authentication:

Hi Colin:

I do have users and computers both authenticating.

Once a user has setup a dot1x connection, they can successfully login and out of the machine.

 

When a user logs out of a machine, or first turns the machine on, I see the machine authentication in Clearpass Access Tracker.

 

It's just that a new user can't come up to the machine and login. The computer says it can't find a domain controller, and it's not pingable, so I'm assuming that it's not connected to the network.

 

Thanks,

Tony

 

 

 

 

 

 

Does the domain-member user-role have the appropriate rights? Can do run "show rights domain-member"?

 

The VLAN can be sent back in the RADIUS response or tied to the user role, it doesn't matter.

 

 

Hi Tim:

I'm not sure exactly what rights I'm looking for, but here is the output of that command:

 

(ArubaMaster) #show rights domain-member

Derived Role = 'domain-member'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 61/0
Max Sessions = 65535

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------

Expired Policies (due to time constraints) = 0

 

 

 

 

Thanks,

Tony

 

That user role doesn’t have any ACLs attached which is why nothing is happening when new users are at the login screen. You need to add a session ACL that either allows all or allows traffic to and from your domain controllers.

Hi Tim:

Thank you!

That seems to have solved the problem.

The machine is now talking to the DC, and a new user can login.

 

However, now the login time is pretty slow.... I'll put this question in a new post.

 

Thanks again,

Tony