Wireless Access

I'm trying to differentiate MacBooks with user certificates vs. MacBooks with machine based certificates.  We would like the MacBooks with user certificates to be on a 'Enterprise Lite' role. and want MacBooks with machine based certificates to have full authenticated role.  We would like use MAC addresses of the MacBooks with machine based certificates to put them in the authenticated role.  I'm open to other suggestions to achieve this.

 

I tried to use user derivation rules to achieve this.  See below.

 

!
aaa server-group "Mac_Test-svrgrp"
auth-server NPS Server
!

 

!
aaa profile "Mac_Test-aaa_prof"
authentication-dot1x "Mac_Test-dot1x_prof"
dot1x-default-role "authenticated"
dot1x-server-group "Mac_Test-svrgrp"
user-derivation-rules "Guesterprise"
!

 

!
aaa derivation-rules user Guesterprise
set role condition dhcp-option equals "370103060F77FC" set-value Enterprise Lite description "Ipad-DHCP"

set role condition dhcp-option equals "370103060f775ffc2c2e" set-value Enterprise Lite description "MacBook-DHCP"

set role condition macaddr equals "20:20:20:20:20:20" set-value authenticated
!

 

The dhcp-option equals "370103060f775ffc2c2e" seems to supercede the macaddr equals "20:20:20:20:20:20" role condition.  I have even moved macaddr equals "20:20:20:20:20:20" to the top and it made no difference.

 

Any ideas or suggestions to remedy this?

 

Thanks,

 

Bill

dhcp user derivation rules take place last....even after authentication. Reason being a dot1x client does not request an IP until it is authenticated, thus the dhcp rule has to be processed last. What Radius solution are you using? Also where are the certificates issued from?

Do the usernames on machine certificates differ from usernames on user certificates?  For example, if the username on a machine certificate is host/<domain>, you can use that in a server derivation rule to change the role:

 

aaa server-group "Mac_Test-svrgrp"
auth-server NPS Server
set role condition username contains host/domain set-value authenticated

 

If you make the default 802.1x role in the AAA profile Enterprise-lite so that users who have any other type of username end up in the Enterprise lite role.

 

Thanks for the reply cjoseph.

 

The machines with the user certs total in number to about 10-15 users.  Going forward we will be using machine certs on the devices.  I was thinking I could keep the default 802.1x role in the AAA profile to authenticated and I could just create 10-15 server rules to force the user certs to Enterprise lite role.  Will there be an impact if I create that many server rules?

 

Bill

You can certainly do it that way, yes.

Is there a way to view the parameters of the 802.1x authentication or authentication in general that is being sent to the NPS.  I noticed that there are a log of conditions we can choose from.  I would like to see what conditions are being used during our authentication.

 

Thanks,

 

Bill

---

@bingdude wrote:

Is there a way to view the parameters of the 802.1x authentication or authentication in general that is being sent to the NPS.  I noticed that there are a log of conditions we can choose from.  I would like to see what conditions are being used during our authentication.

 

Thanks,

 

Bill

---

Those parameters are fairly standard, and the best place to view them are in the NPS Event Viewer

 

Too see what parameters are sent FROM NPS, you would do this:

 

config t
logging level debugging security process authmgr

logging level debugging security subcat aaa


show log security 50