Filter
Top Products
201 | 802.1XAuthentication DellPowerConnectW-SeriesArubaOS6.2 | User Guide
server-cert <certificate>
ca-cert <certificate>
Configuring User and Machine Authentication
When a Windows device boots, it logs onto the network domain using a machine account. Within the domain, the
device is authenticated before computer group policies and software settings can be executed; this process is known
as
machine authentication
. Machine authentication ensures that only authorized devices are allowed on the network.
You can configure 802.1x for both user and machine authentication (select the Enforce Machine Authentication
option described in Table 61). This tightens the authentication process further since both the device and user need
to be authenticated.
Working with Role Assignment with Machine Authentication Enabled
When you enable machine authentication, there are two additional roles you can define in the 802.1x authentication
profile:
l Machine authentication default machine role
l Machine authentication default user role
While you can select the same role for both options, you should define the roles as per the polices that need to be
enforced. Also, these roles can be different from the 802.1x authentication default role configured in the AAA profile.
With machine authentication enabled, the assigned role depends upon the success or failure of the machine and user
authentications. In certain cases, the role that is ultimately assigned to a client can also depend upon attributes
returned by the authentication server or server derivation rules configured on the controller.
Table 62 describes role assignment based on the results of the machine and user authentications.
Machine
Auth
Status
User
Auth
Status
Description Role Assigned
Failed Failed Both machine authentication and user
authentication failed. L2 authentication
failed.
No role assigned. No access to the network
allowed.
Failed Passed Machine authentication fails (for example,
the machine information is not present on
the server) and user authentication
succeeds. Server-derived roles do not apply.
Machine authentication default user role
configured in the 802.1x authentication
profile.
Passed Failed Machine authentication succeeds and user
authentication has not been initiated. Server-
derived roles do not apply.
Machine authentication default machine
role configured in the 802.1x authentication
profile.
Passed Passed Both machine and user are successfully
authenticated. If there are server-derived
roles, the role assigned via the derivation
take precedence. This is the
only
case
where server-derived roles are applied.
A role derived from the authentication
server takes precedence. Otherwise, the
802.1x authentication default role configured
in the AAA profile is assigned.
Table 62:
Role Assignment for User and Machine Authentication
For example, if the following roles are configured:
l 802.1x authentication default role (in AAA profile): dot1x_user
l Machine authentication default machine role (in 802.1x authentication profile): dot1x_mc