Wireless Access

Can anybody confirm it is (or isn't) intended behaviour that returning a aruba-user-role vsa is being ignored by the controller when it's being returned on a machine-only authentication?

 

We're using clearpass to return different user-roles for a) machine-only, b) user-only and c) machine&user authenticated clients.

The role we return for the machine-only can be seen on the controller but is ignored completely in favor of the default machine role set in the 802.1x auth profile.

 

Support (Alcatel) confirms this to be intended & expected behaviour which seems odd to me as the vlan attribute is being accepted.

And if it is indeed the case.. why? fix it! :P

If you are using ClearPass, you should turn off "Enforce Machine Authenticaton" in the 802.1x profile on the controller.  You should simply use ClearPass to send back an Enforcement profile depending on the authentication types you are using.  

 

You should view the access tracker to see what is being sent back to the client, as well as turn on debugging on the client to see what attributes are seen and being applied.

 

Clearpass definitly sends back the correct role which the controller simply ignores since he used machine authentication (I'm guessing that's the "auth type 10" anyway) as can be seen in the debug:

 

Dec 5 12:48:58 :522044:  <INFO> |authmgr|  MAC=24:77:03:72:ff:78 Station authenticate(start): method=8021x-Machine, role=logon//, VLAN=300/300/0/0/0, Derivation=0/0, Value Pair=1 

Dec 5 12:48:58 :522016:  <INFO> |authmgr|  MAC=24:77:03:72:ff:78 IP=?? Derived role 'CP-machine' from Aruba VSA
Dec 5 12:48:58 :522049:  <INFO> |authmgr|  MAC=24:77:03:72:ff:78,IP=0.0.0.0 User role updated, existing Role=logon/none, new Role=role-machine/none, reason=Station Authenticated with auth type: 10

 

I'll see about disabling the "enforce machine authentiction" on the controller. Guess that should work as it won't realise its a machine authentication anymore. 

 

Thanks for the tip!

If you turn on enforce machine authentication, the controller ignores all VSAs unless the device has passed both. Turn it off and give clearpass control.

funny, i was working on setting up my CPPM today and was running into the same issue using machine authentication on the controller with the VSA's being sent back from CPPM to the controller completely ignored. 

 

I want to send all non-domain devices to the clearpass onboard provisioning page and let all users who have domain machines that pass both machine and user auth, to authenticated role.

 

Is there a way CPPM can do machine auth and user auth?  I am unsure how to turn off machine authentication on dot1x profile and then have CPPM do both machine auth and user auth.

 

 

CPPM has a built-in [Machine Authenticated] role that can be used to determine whether a machine has passed machine authentication at all.