Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Role derivation priority with 802.1X, Machine Auth and VSA

This thread has been viewed 1 times

  • 1.  Role derivation priority with 802.1X, Machine Auth and VSA

    Posted Dec 09, 2016 02:06 PM

    Hi,

    I have configured Server Role Derivation for 802.1X with enfroced machine authentication. I works fine for computers and users that are members of Microsoft domain, with role mapping based on returned by NPS standard attribute (not Aruba VSA).

     

    But I have just a few MAC OSX laptops, that (from many reasons) are not members of domain (no machine account, only user&pass), and I would like to be able, also to map them on different role, after successful 802.1X authentiaction based on user & pass only (machine auth fail).

     

    Will returning Aruba VSA attribute (Aruba-User-Role) take precedense and assign returned in VSA attribute role to a user on a MAC OSX that passed only user auth and failed machine auth, with Enforce Machine Authentication option enabled in a profile?



  • 2.  RE: Role derivation priority with 802.1X, Machine Auth and VSA

    EMPLOYEE
    Posted Dec 09, 2016 02:16 PM
    When "Enforce machine authentication"is enabled in the controller, users will only get a server defined rule when both user and machine authentication has been passed. Users who only pass user or only pass machine only get the corresponding machine authentication or user authentication role configured in the Enforce machine authentication configuration; all other derivation or VSA is ignored. It is preferred to do machine enforcement with an external policy server like ClearPass, because the built in enforce machine authentication feature is less flexible and was built when there was not any external policy server that could do anything like that.