Wireless Access

We have 802.1X wireless network that has been working with Enforce Machine authentication for years.  Windows RADIUS server authentication users and machines, with some apple devices in the Aruba internalDB for the machine authentication work-around

 

UserOnly Role defaults to role that has same rights as a guest.

 

Customer recently got 500 Chromebooks and wants them on 802.1X network.  They need elevated rights in role different from the guest role.

 

Adding or manageing these MAC address in the Aruba internal DB is not a valid option.

 

We recently tried to put in server rules to send specific AD user account for these chromebooks to put in user role with different elevated rights.  This did not work, and looking into the communitiy shows that  server rules do not work when enforce machine authentication is enabled.

 

If I disable enforce machine authentication I assume the server rules will work.  My question is how this would affect working Machine+User authenticed devices...

 

When enforce machine authentication is not enabled, does the controller still check to see if the machine authenticates?

Will the valid machine and user accounts still get put in the Fully Authenticated 802.1X role?  or will it just check the user authentication pieces and put them in the 802.1x-User role?

 

thanks for comments and assistance.

 

 

 

You can try disabling enforce machine auth and do the following :

 

But how would this handle a device that is a valid machine and valid user?

 

When machine auth is enabled when both user and machine auth pass  the user is put in a 802.1X fully authentication role.

 

 

This is not possible without a policy engine like ClearPass due to the behavior of machine authentication and the need to cache the machine auth.

Cappalli is right , I didn't think of the cache role if you need to provide access based on Machine/User combination 

Thank you.

 

But particularly, if i disable Enforce Machine authentication, will WIndows machines still authentictate as Machine first, then as user, even if not enforced?

 

 

Yes, this is by design in Windows. You will not be able to "combine" the roles for a separate outcome.

Ok. 

 

So the valid windows device would be in Machine role, then when the user authenticates it would be in user role, but it would not transistion to the 802.1X Default role.  User would stay in User authentication Role.

 

I just want to make sure I get this clear.

 I fully understand the how it works with Enforce Machine auth ON, just not clear when it is disabled.

That's correct.

 

This setup will allow your Domain Laptops to receive the group policies at the logon screen.