Hi,
Having a senior moment here.
I'm setting up an authentication service for our managed windows machines using user and machine auth.
When a user enters their username into the login dialogue box clearpass authenticates user <AD domain>/<userid> with whatever passwoed against AD and things work. If no one is logged into the machine ( or the user logs out), an auth request comes in with the user-name set to <host/fqdn of machine> As shown below in the table of RADIUS attributes. I've set up "normal" mac-auths before against static host lists without a problem. In this case I've :-
- Created a service that uses the username,nas-port-type , service type as the selection criteria ( servicetype is 802.1x ) should it be something else ... like a radius auth?
- Used the Authentication method of all-mac-auths
- Set up a static host list created with the mac address of a "managed" devices
- Used an authentication source of the static mac address list
- Performed a check so I create a Role called machineauth
- Generated an enforcement policy that uses an appropriate profile to drop the machine into a vlan based upon the fact that a role of machineauth exists.
What I get however, is an alert saying
| Managed Devices: Client not found or not a MAC authentication request MAC_AUTH: No password in request. Not attempting MAC authentication Cannot select appropriate authentication method |
All I want to do is say
"If I know the mac address of a device
and its a windows device
and the username is of the form host/<something>.its.york.ac.uk"
drop it into a named vlan called dps_maint
I'm guessing the error is there because the username isn't a mac-address so it isn't actually doing mac-auth so the auth-method isn't correct .... but what do I set it to. BTW, the vlan the device ends up in is nailed down and can only access a restricted set of local services.
Rgds
Alex
Username: | host/DPSLAP004.its.york.ac.uk |
End-Host Identifier: | 68-f7-28-07-70-49 (Computer / Windows / Windows Vista/7/2008) |
Access Device IP/Port: | 144.32.227.99:1 (xb1sw7 / HP) |
|
Radius:HP:HP-Capability-Advert | 0x011a0000000b28 | Radius:HP:HP-Capability-Advert | 0x011a0000000b2e | Radius:HP:HP-Capability-Advert | 0x011a0000000b30 | Radius:HP:HP-Capability-Advert | 0x011a0000000b3d | Radius:HP:HP-Capability-Advert | 0x0138 | Radius:HP:HP-Capability-Advert | 0x013a | Radius:HP:HP-Capability-Advert | 0x0140 | Radius:HP:HP-Capability-Advert | 0x0141 | Radius:HP:HP-Capability-Advert | 0x0151 | Radius:IETF:Called-Station-Id | ec-9a-74-19-12-40 | Radius:IETF:Calling-Station-Id | 68-f7-28-07-70-49 | Radius:IETF:Connect-Info | CONNECT Ethernet 100Mbps Full duplex | Radius:IETF:Framed-MTU | 1480 | Radius:IETF:Framed-Protocol | 1 | Radius:IETF:NAS-Identifier | xb1sw7 | Radius:IETF:NAS-IP-Address | 144.32.227.99 | Radius:IETF:NAS-Port | 1 | Radius:IETF:NAS-Port-Id | 1 | Radius:IETF:NAS-Port-Type | 15 | Radius:IETF:Service-Type | 2 | Radius:IETF:Tunnel-Medium-Type | 6 | Radius:IETF:Tunnel-Private-Group-Id | 4003 | Radius:IETF:Tunnel-Type | 13 | Radius:IETF:User-Name | host/DPSLAP004.its.york.ac.uk | Radius:Microsoft:MS-RAS-Vendor | 11 |
|