Wireless Access

Contributor I

Enforce Machine Auth with different aaa profiles?

I think this may be a non-starter, but posting here to see if anyone has this sorted.



Master-Local controllers 7210s, running ArubaOS


RADIUS - NPS on Server2012


Our users have smart cards, and we are doing EAP-TLS authentication via RADIUS. Currently, we are only authenticating the user. In our environment, we have a requirement to make sure that only known laptops connect to the wireless. Also in our environment, we do not have automatic certificate enrollment for Active Directory machines, so there are no computer certificates.


So what I'm looking for, is a way to enforce machine authentication, to ensure that only our known machines can connect (it's possible for a user to take a CAC-enabled home laptop, configure the SSID, and get on). My fear is that we may have to resort to MAC authentication for the machine side, which is not all that great.


In a perfect world, we could enforce machine authentication using EAP-PEAP/MS-CHAP-V2 802.1x for the computer, and then authenticate the user with EAP-TLS using their smartcard.


I should mention that we are using the built in supplicant in Windows 7 (configured via Group Policy), and that we do not have ClearPass (or the funds to purchase). And the Windows 7 WLAN configuration looks like you can choose either EAP-TLS or EAP-PEAP, but not both.


Can we achieve this with what we've got on hand?

Guru Elite

Re: Enforce Machine Auth with different aaa profiles?

Unfortunately, you'll have to rely on MAC-authentication as the supplicant
can't do split EAP types for machine + user.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: