Security

Hi all ,

I have a query regarding machine auth . We have configured policy if user belongs to group and machine authenticated to give full access. And other policy if user authenticated provisioning role which has no access.its working fine but

machine auth comes into play if we are logging in or logging off or restart and my issue is if user logs off the system , cppm does machine authentication four times even it is authenticated .however if machine gets authenticated and not the user then it is rejected .I could see in the access tracker it does machine auth four times .

As we have enabled if authentication failure is 5 to blacklist the client. Clients are getting balcklisted if they enter the wrong username or user is not part of wifi group.

Why cppm doesn't do machine auth once and stop it. I could see one machine auth happenings for some hosts.

warm regards
Srikanth

How to overcome this issue

Warm regards
Srikanth

I would try to update the wifi driver on the client.  A domain machine should only do machine authentication (1) When the machine is booting up (2) When a user logs off.

So you mean to say ,domain machine is sending computer account to get authenticated continously??

It should only send it once when it is booting up, and every time a user logs off.

 

When it sends multiple times, what is happening?  It is possible that the device does not support OKC Opportunistic Key Caching, so it sends a full authentication every time it roams...  See if each authentication is being sent from the same access point.

In here, user logs off as soon as user does that machine auth happens . Time gap between machine auth for times is around 5 -10secs

Its from the same access point

---

@srikanthsoogoor wrote:
Its from the same access point

---

That is normally not a problem unless it is causing a connectivity issue.  If you want to try to eliminate it, you can try updating the wifi driver of the laptop.

 

Ya got it .

Can I know the reason why it happens in this way ??

We have no connectivity issue but because of that client mac is getting blacklisted . As it does machine auth four times and gets reject profile .fifth time if user is not authenticated . Controller does blacklisting .

Thanks Joseph for the information and ill try updating the drivers

---

@srikanthsoogoor wrote:
Ya got it .

Can I know the reason why it happens in this way ??

We have no connectivity issue but because of that client mac is getting blacklisted . As it does machine auth four times and gets reject profile .fifth time if user is not authenticated . Controller does blacklisting .

Thanks Joseph for the information and ill try updating the drivers

---

Wait....  Is the machine authentication failing?  Do you have a rule that prevents machine authentication from working?  Are these domain machines or machines that are NOT part of the domain?

No its not failing, machine is getting authenticated .they are part of domain . But machine authentciation alone is not sufficient to get full access role .
we have configured the following policies

Policies :

If the user gets authenticated (role : provision with no access)

If user is part of wifi grp and machine gets authenticated (role :full access)

---

@srikanthsoogoor wrote:
No its not failing, machine is getting authenticated .they are part of domain . But machine authentciation alone is not sufficient to get full access role .
we have configured the following policies

Policies :

If the user gets authenticated (role : provision with no access)

If user is part of wifi grp and machine gets authenticated (role :full access)

---

Okay, so what problem is being created because the machine is getting authenticated multiple times?  How are you checking for machine authentication in CPPM?

We are checking machine auth from AD ( authentication source for users and computer accounts)

If the user logs off then only machine gets authenticated. According to the policy , it applies rejected profile and sends back to controller as auth failure . so as I said it sends 4 times as auth failure .if it does five times ,it sends as auth failure for 5 times to controller



In the controller 802.1x auth, I have set max authentication failure to 5 . Then the controller would blackist the client. For security reasons ,we have enabled max auth failure .

Are you using the built-in [Machine Authenticated] role or building your own logic?

---

@srikanthsoogoor wrote:
We are checking machine auth from AD ( authentication source for users and computer accounts)

If the user logs off then only machine gets authenticated. According to the policy , it applies rejected profile and sends back to controller as auth failure . so as I said it sends 4 times as auth failure .if it does five times ,it sends as auth failure for 5 times to controller



In the controller 802.1x auth, I have set max authentication failure to 5 . Then the controller would blackist the client. For security reasons ,we have enabled max auth failure .

---

srikanthsoogoor,

 

Why would you ever blacklist a device that has already passed machine authentication?  If the device was wired, would the user be able to login? 

 

 

Built in machine authenticated role

Yes, as we are not assigning any role for jus machine authentication in the enforcement .it is sending rejected profile.

Can I break down the policies like

If user authenticated (provision role )
If machine authenticated ( provision role)
If user is part of wifi grp and machine auth (full access role)

can you suggest me how to configure policy so that cppm won't send reject profile jus in case of only machine auth

We wont be able to login if it is wired

So, what does the provision role do?  Is it for onboarding?

 

If you blacklist a user, it makes the entire machine unavailable for other people to use...not just that user.

 

 

Yes. It is for onboarding . It redirects to clear pass provisioning page .

Onboarding is ONLY for Non-domain computers that you do not have enterprise control over (like iPhones, android, etc).  Devices that pass machine authentication should just pass through and work.  What functionality do you require on domain machines beyond the domain controls that you have on domain machines?

 

Onboarding would place a unique credential on domain devices for authentication.  Domain machines already have unique credentials--their domain credentials, so domain devices are not usually onboarded.

Yes I got it .
User auth and machine auth was our requirement.

After user getting authenticated , users part of onboard group in AD will be able to onboard and they will get only internet access.they wont pass thru core network

Users part of wifi group and using domain laptops will pass thru core network so that they can access servers or network devices

If they are part of both the groups then all the devices can be onboarded .

---

@srikanthsoogoor wrote:
Yes I got it .
User auth and machine auth was our requirement.

After user getting authenticated , users part of onboard group in AD will be able to onboard and they will get only internet access.they wont pass thru core network

Users part of wifi group and using domain laptops will pass thru core network so that they can access servers or network devices

If they are part of both the groups then all the devices can be onboarded .

---

 

Which group is having a problem with blacklisting?...

We are configuring wifi profiles in domain laptops not to validate the certificate .jus user and machine auth . Peap-mschapv2

We are not onboarding domain laptops

Only with wifi group

on what devices?

Only with domain laptops

Only with laptops