a month ago
I'm studying for ACMP, and reviewing the Advanced Security module.
I understand what machine authentication is, and how it works compared to user authentication.
But I don't get exactly what the option "Enforce Machine Authentication" is doing.
- Does this mean the user won't be able to authenticate unless the machine is authenticated?
- Is it the same as EAP Chaining?
EAP Chaining is doing machine + user authentication in the same EAP session, which requires that the supplicant can support EAP Chaining.
I would think that this option is different from EAP Chaining, in the sense that Windows machine would authenticate at bootup, and user will authenticate at logon.
Someone can clarify on this option?
Solved! Go to Solution.
a month ago
No supplicant required.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Re: "Enforce Machine Authentication" Clarification
a month ago
Thanks for quick reply.
I understand better now, this is all down to the role assigned, which will depend on the machine + user authentication status, as described here:
Machine Auth Status
User Auth Status
Both machine authentication and user authentication failed. L2 authentication failed.
No role assigned. No access to the network allowed.
Machine authentication failed (for example, the machine information is not present on the server) and user authentication succeeded. Server-derived roles do not apply.
Machine authentication default user role configured in the 802.1X authentication profile.
Machine authentication succeeded and user authentication has not been initiated. Server-derived roles do not apply.
Machine authentication default machine role configured in the 802.1X authentication profile.
Both machine and user are successfully authenticated. If there are server-derived roles, the role assigned via the derivation take precedence. This is the only case where server-derived roles are applied.
I'm more familiar with Cisco, and this is really different from how they handle authentication.
The use of roles in Aruba architecture allows to much more flexibility !