Security

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network? 
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

are you trying to do machine authentication? if so you can just match on Tips role = [Machine Authentication]



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Hi ariyap.
Thank you for your answer.
You must take into account that our customer use EAP-PEAP and I think it's no possible to do machine authentication with that protocol. Maybe I'm wrong.
The only thing I want to check is the computer belongs to the domain and I'm not sure if machine authentication will be an option in this scenario.
What do you think about it?
Regards
Original Message:
Sent: Dec 02, 2022 09:44 PM
From: Ariya Parsamanesh
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

are you trying to do machine authentication? if so you can just match on Tips role = [Machine Authentication]



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Yes you can do machine authentication using PEAP. Set your supplicant to “Computer Authentication” or “user or Computer Authentication”


Original Message:
Sent: 12/3/2022 12:17:00 PM
From: Junajero-Pepejo
Subject: RE: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi ariyap.
Thank you for your answer.
You must take into account that our customer use EAP-PEAP and I think it's no possible to do machine authentication with that protocol. Maybe I'm wrong.
The only thing I want to check is the computer belongs to the domain and I'm not sure if machine authentication will be an option in this scenario.
What do you think about it?
Regards
Original Message:
Sent: Dec 02, 2022 09:44 PM
From: Ariya Parsamanesh
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

are you trying to do machine authentication? if so you can just match on Tips role = [Machine Authentication]



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Hi ahollifield.
Thank you for the clarification.
The supplicant is configured as "user or computer authentication". So adding the condition  Authorization[AD]: memberOf CONTAINS "Domain Computers" in the rule it should be work fine, isn't it?

Original Message:
Sent: Dec 03, 2022 12:57 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Yes you can do machine authentication using PEAP. Set your supplicant to "Computer Authentication" or "user or Computer Authentication"


Original Message:
Sent: 12/3/2022 12:17:00 PM
From: Junajero-Pepejo
Subject: RE: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi ariyap.
Thank you for your answer.
You must take into account that our customer use EAP-PEAP and I think it's no possible to do machine authentication with that protocol. Maybe I'm wrong.
The only thing I want to check is the computer belongs to the domain and I'm not sure if machine authentication will be an option in this scenario.
What do you think about it?
Regards
Original Message:
Sent: Dec 02, 2022 09:44 PM
From: Ariya Parsamanesh
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

are you trying to do machine authentication? if so you can just match on Tips role = [Machine Authentication]



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Depends. You should also match against role Machine Authenticated


Original Message:
Sent: 12/3/2022 2:24:00 PM
From: Junajero-Pepejo
Subject: RE: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi ahollifield.
Thank you for the clarification.
The supplicant is configured as "user or computer authentication". So adding the condition  Authorization[AD]: memberOf CONTAINS "Domain Computers" in the rule it should be work fine, isn't it?

Thank you so much!
Regards

Original Message:
Sent: Dec 03, 2022 12:57 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Yes you can do machine authentication using PEAP. Set your supplicant to "Computer Authentication" or "user or Computer Authentication"


Original Message:
Sent: 12/3/2022 12:17:00 PM
From: Junajero-Pepejo
Subject: RE: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi ariyap.
Thank you for your answer.
You must take into account that our customer use EAP-PEAP and I think it's no possible to do machine authentication with that protocol. Maybe I'm wrong.
The only thing I want to check is the computer belongs to the domain and I'm not sure if machine authentication will be an option in this scenario.
What do you think about it?
Regards
Original Message:
Sent: Dec 02, 2022 09:44 PM
From: Ariya Parsamanesh
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

are you trying to do machine authentication? if so you can just match on Tips role = [Machine Authentication]



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Thank you so much for the answer!
I will try it on Monday.
Regards!
Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

yes as ahollifield, mentioned yo can have machine auth with PEAP authentication



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 03, 2022 12:07 PM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Thank you so much for the answer!
I will try it on Monday.
Regards!
Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Hi!
Yes I can see with PEAP machine authentication works fine but I have difficulties to link the Machine authenticated role with the AD where are located the domain computers. I have did it with the user roles and the AD groups which they belong to, but it's not easy for me to do the same with the domain computers and Machine authenticated.
Maybe my focus is wrong to achieve this goal.
Thank you.
Regards
Original Message:
Sent: Dec 03, 2022 07:35 PM
From: Ariya Parsamanesh
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

yes as ahollifield, mentioned yo can have machine auth with PEAP authentication



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 03, 2022 12:07 PM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Thank you so much for the answer!
I will try it on Monday.
Regards!
Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.

Hi.
I just realized that the Machine Authenticated role appears doing an authentication with the windows supplicant set as "user or Computer Authentication" as you said. In that case I think it is enough to validate the role Machine authenticated.
Sorry, but really it's hard to understand for me.
Thank you so much.
Regards.
Original Message:
Sent: Dec 05, 2022 05:13 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
Yes I can see with PEAP machine authentication works fine but I have difficulties to link the Machine authenticated role with the AD where are located the domain computers. I have did it with the user roles and the AD groups which they belong to, but it's not easy for me to do the same with the domain computers and Machine authenticated.
Maybe my focus is wrong to achieve this goal.
Thank you.
Regards
Original Message:
Sent: Dec 03, 2022 07:35 PM
From: Ariya Parsamanesh
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

yes as ahollifield, mentioned yo can have machine auth with PEAP authentication



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Dec 03, 2022 12:07 PM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Thank you so much for the answer!
I will try it on Monday.
Regards!
Original Message:
Sent: Dec 02, 2022 03:59 PM
From: Unknown User
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Authorization[AD]: memberOf CONTAINS "Domain Computers"
Original Message:
Sent: Dec 02, 2022 11:41 AM
From: Jose Olmedo
Subject: Clearpass allow only domain computers 802.1x Wireless / Wired services

Hi!
I know ClearPass allows to configure a rule that permits only domain computers connect to the corporate network via Wired / Wireless.
I have read several posts about this subjet but I don´t understand the way to do it.
Please, Is there any guide or post which explains how to check if an endpoint belongs to the domain to allow it with a valid domain user credential to connect to the network?
Is there an easy way to achieve this target?
Thank you in advance.
Regards.