Wireless Access

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------

Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.

With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:

[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access

Some examples are in the ClearPass Workshop 2021 Series on YouTube. Older videos covering PEAP are still in this playlist.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------

One additional caution. F you Remote Desktop into a machine that is authenticated through 802.1X it switches to Machine Authentication. Make sure the Machine Authentication authenticated role & the user authenticated role have the same VLAN.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Jul 22, 2022 05:42 AM
From: Herman Robers
Subject: Windows 802.1X settings for ClearPass

Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.

With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:

[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access

Some examples are in the ClearPass Workshop 2021 Series on YouTube. Older videos covering PEAP are still in this playlist.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------

Hi Herman,

Thanks for your interest, your answer help me a lot. My customer has a similar policy (User Authenticated AND Machine Authenticated first):


When Windows devices are set to "User or machine authentication" they don't take the Machine Authenticated role and then match policy 5:


But when the devices are set to "User authentication" they do take the Machine Authenticated role and match policy 1, 2, 3 or 4 (in this case 2):


How is this possible? Shouldn't be the opposite?

------------------------------
Regards,
Julian
------------------------------

Original Message:
Sent: Jul 22, 2022 05:42 AM
From: Herman Robers
Subject: Windows 802.1X settings for ClearPass

Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.

With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:

[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access

Some examples are in the ClearPass Workshop 2021 Series on YouTube. Older videos covering PEAP are still in this playlist.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------

Windows does not perform user & machine authentication simultaneously. When a user is logged in, User authentication is used. If they are logged out, machine authentication is used.

Some features try to cache the machine authentication so both can be referenced but, in my experience , that is not a consistent solution.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Jul 22, 2022 08:51 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi Herman,

Thanks for your interest, your answer help me a lot. My customer has a similar policy (User Authenticated AND Machine Authenticated first):

When Windows devices are set to "User or machine authentication" they don't take the Machine Authenticated role and then match policy 5:

But when the devices are set to "User authentication" they do take the Machine Authenticated role and match policy 1, 2, 3 or 4 (in this case 2):

How is this possible? Shouldn't be the opposite?

------------------------------
Regards,
Julian

Original Message:
Sent: Jul 22, 2022 05:42 AM
From: Herman Robers
Subject: Windows 802.1X settings for ClearPass

Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.

With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:

[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access

Some examples are in the ClearPass Workshop 2021 Series on YouTube. Older videos covering PEAP are still in this playlist.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------

If devices are logged in already, you might have 'missed' the machine authentication. That happens when the computer boots up, and when a user logs out. If the user is already signed in, this sometimes also happens when a user 'roams' from wired to wireless or vice versa, ClearPass may not have seen the machine authentication. If you look back in access tracker, you probably will see that for the clients that have the [Machine Authenticated] role, it has done an authentication with the computer account.

As Bruce mentions, with EAP-TLS or EAP-PEAP  (deprecated), Windows will do just one authentication at the time. The [Machine Authenticated] role is therefore cached by ClearPass to allow policies like you made.

With TEAP authentication you can do both the Machine and the User authentication in a single authentication transaction. In that case there is no requirement to use caching. Here is a video describing TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 22, 2022 08:51 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi Herman,

Thanks for your interest, your answer help me a lot. My customer has a similar policy (User Authenticated AND Machine Authenticated first):

When Windows devices are set to "User or machine authentication" they don't take the Machine Authenticated role and then match policy 5:

But when the devices are set to "User authentication" they do take the Machine Authenticated role and match policy 1, 2, 3 or 4 (in this case 2):

How is this possible? Shouldn't be the opposite?

------------------------------
Regards,
Julian

Original Message:
Sent: Jul 22, 2022 05:42 AM
From: Herman Robers
Subject: Windows 802.1X settings for ClearPass

Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.

With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:

[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access

Some examples are in the ClearPass Workshop 2021 Series on YouTube. Older videos covering PEAP are still in this playlist.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------

Hi guys,

Very clear, thank you for the clarification. After doing some tuning, now machine and user authentication is working fine.

------------------------------
Regards,
Julian
------------------------------

Original Message:
Sent: Jul 25, 2022 10:07 AM
From: Herman Robers
Subject: Windows 802.1X settings for ClearPass

If devices are logged in already, you might have 'missed' the machine authentication. That happens when the computer boots up, and when a user logs out. If the user is already signed in, this sometimes also happens when a user 'roams' from wired to wireless or vice versa, ClearPass may not have seen the machine authentication. If you look back in access tracker, you probably will see that for the clients that have the [Machine Authenticated] role, it has done an authentication with the computer account.

As Bruce mentions, with EAP-TLS or EAP-PEAP  (deprecated), Windows will do just one authentication at the time. The [Machine Authenticated] role is therefore cached by ClearPass to allow policies like you made.

With TEAP authentication you can do both the Machine and the User authentication in a single authentication transaction. In that case there is no requirement to use caching. Here is a video describing TEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 22, 2022 08:51 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi Herman,

Thanks for your interest, your answer help me a lot. My customer has a similar policy (User Authenticated AND Machine Authenticated first):

When Windows devices are set to "User or machine authentication" they don't take the Machine Authenticated role and then match policy 5:

But when the devices are set to "User authentication" they do take the Machine Authenticated role and match policy 1, 2, 3 or 4 (in this case 2):

How is this possible? Shouldn't be the opposite?

------------------------------
Regards,
Julian

Original Message:
Sent: Jul 22, 2022 05:42 AM
From: Herman Robers
Subject: Windows 802.1X settings for ClearPass

Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.

With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:

[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access

Some examples are in the ClearPass Workshop 2021 Series on YouTube. Older videos covering PEAP are still in this playlist.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass

Hi everyone,

I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?

- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?

Thanks in advance.


------------------------------
Regards,
Julian
------------------------------