Machine Authentication uses the AD computer account to authenticate the computer.
User Authentication uses the (AD) user account to authenticate the user.
User or Machine uses the computer account when no user is logged in to the computer (like when it is booting/shutdown/on the login screen); when a user logs in it switches to user authentication.
With PEAP (which is strongly deprecated because of known security weaknesses; use EAP-TLS or TEAP instead), ClearPass will 'cache' the [Machine Authenticated] role once it has seen a machine authentication. In the [User Authenticated] after that, you should see both roles and could create a (first match) policy like:
[User Authenticated] AND [Machine Authenticated] => Full Access
[Machine Authenticated] => Access to AD, Update servers, other services that are needed to get on the network
[User Authenticated] => BYOD / Internet access
Some examples are in the
ClearPass Workshop 2021 Series on YouTube.
Older videos covering PEAP are still in this playlist.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 21, 2022 10:34 AM
From: Julian Ortiz
Subject: Windows 802.1X settings for ClearPass
Hi everyone,
I want to create some PEAP policies in CPPM but I want to be clear about the Windows 802.1X settings before. There is a part where you have the option to configure "user authentication", "machine authentication", or "user or machine authentication". What's the difference between these types?
- User authentication only sends the username and password you type?
- Machine authentication sends only the PC hostname?
- User ir machine authentication sends both? Or only sends one of them?
Thanks in advance.
------------------------------
Regards,
Julian
------------------------------