Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Client Username columns not showing

This thread has been viewed 3 times

  • 1.  Client Username columns not showing

    Posted Jul 26, 2012 12:40 PM

    Under clients I get all of the info such as Device, Role, MAC, SSID,VLAN, etc.  But I do not get the username of the user.  We are an AD shop.  Please do not laugh but for the sort future we are running WEP.

     

    Do I need to somehow make Airwave AD aware?



  • 2.  RE: Client Username columns not showing

    Posted Jul 26, 2012 12:56 PM

    If you are running WEP (or WPA-PSK for that matter) networks, you will not see user or device name information as there is no authentication taking place.  You'll need to implement a secure 802.1x network (WPA2) in order to see username information.



  • 3.  RE: Client Username columns not showing

    Posted Jul 26, 2012 02:27 PM

    Thanks for the info.  I love this forum.

     

    Thanks again.



  • 4.  RE: Client Username columns not showing

    Posted Nov 22, 2013 03:33 AM
    @clembo wrote:

    If you are running WEP (or WPA-PSK for that matter) networks, you will not see user or device name information as there is no authentication taking place.  You'll need to implement a secure 802.1x network (WPA2) in order to see username information.


    I was discussing this with some our our support team yesterday and we werent sure if this would dstill be the case if using eap-tls cert based machine auth?  As a user would still be logging in via AD on the pc, woud aruba have visibility of these credentials?

     

    We assumed that this would only be seen if using peap based auth?



  • 5.  RE: Client Username columns not showing

    EMPLOYEE
    Posted Nov 22, 2013 06:06 AM

    If user authentication to the network is not taking place, then you will not see the username in the user-table.

     

    If you are just authenticating the machine with EAP-TLS, then user authentication is not happening.



  • 6.  RE: Client Username columns not showing

    Posted Nov 22, 2013 06:23 AM

    Is it possitble to therefore have both machine and user auth taking place, so different roles could be applied accordingly, and the credentials known?

     

    I know it can using peap, but recent conversation with some tech's implied it wasnt possible with tls.  Or, if the hostname is known, a simple AD query to obtain username?

     

    Cheers...



  • 7.  RE: Client Username columns not showing

    EMPLOYEE
    Posted Nov 22, 2013 07:17 AM

    Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

     



  • 8.  RE: Client Username columns not showing

    Posted Nov 22, 2013 07:59 AM

    We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

     

    Can you elaborate on this bit please:

     

    @cappalli wrote:

    Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

     

    Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

     

    Thanks



  • 9.  RE: Client Username columns not showing

    EMPLOYEE
    Posted Nov 22, 2013 02:41 PM
    @$k3l3t0r wrote:

    We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

     

    Can you elaborate on this bit please:

     

    @cappalli wrote:

    Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

     

    Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

     

    Thanks

    $k3l3t0r,

     

    The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon.  The computer credentials are the computer's hostname and it's SID (security identifier).  The user's credentials are, well, their AD credentials.  There are built-in roles in ClearPass to identify devices that have machine authenticated.  You can then layer user authentication on top of that.

     

    EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password.  The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP.  When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN.  You have to choose either...



  • 10.  RE: Client Username columns not showing

    EMPLOYEE
    Posted Nov 22, 2013 02:41 PM
    @$k3l3t0r wrote:

    We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices.  They will be configured using group policy. 

     

    Can you elaborate on this bit please:

     

    @cappalli wrote:

    Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.

     

    Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.

     

    Thanks

    $k3l3t0r,

     

    The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon.  The computer credentials are the computer's hostname and it's SID (security identifier).  The user's credentials are, well, their AD credentials.  There are built-in roles in ClearPass to identify devices that have machine authenticated.  You can then layer user authentication on top of that.

     

    EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password.  The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP.  When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN.  You have to choose either...