Security

We are about to implement access control. Machines are authenticated based on the AD group and machine certificate. Necessary Group Policies need to be applied to the machine based on the group. If a machine is missing a certificate or the required AD group, what is the best way to deploy this? What options are there? We have currently resolved this so that such machines drop into a network that has access to DC machines and can retrieve Group Policies and certificates through that. Another option would be to block these connections and move the machine to a place where AD connections are allowed. Or the switch port could be temporarily changed to a network where AD connection is allowed. From a security perspective, it would likely be best if there were no AD connections unless we are sure about the workstation. How have you implemented this? Is there a commonly used method for this? I would appreciate options. I hope I managed to describe the issue clearly and that you understand what I am aiming for. :)

-------------------------------------------

You've already listed the usual options.  Either put the machine into a quarantine network from which remediation can happen automatically or segregate the device off and force a call to the helpdesk.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Aug 18, 2025 01:33 AM
From: KemPetFi
Subject: Clearpass and new client computers

We are about to implement access control. Machines are authenticated based on the AD group and machine certificate. Necessary Group Policies need to be applied to the machine based on the group. If a machine is missing a certificate or the required AD group, what is the best way to deploy this? What options are there? We have currently resolved this so that such machines drop into a network that has access to DC machines and can retrieve Group Policies and certificates through that. Another option would be to block these connections and move the machine to a place where AD connections are allowed. Or the switch port could be temporarily changed to a network where AD connection is allowed. From a security perspective, it would likely be best if there were no AD connections unless we are sure about the workstation. How have you implemented this? Is there a commonly used method for this? I would appreciate options. I hope I managed to describe the issue clearly and that you understand what I am aiming for. :)

-------------------------------------------

Hi

You are mentioning a few different error scenarios, let's break them down a bit:

• Machine is missing a valid certificate. In this case the machine will not be able to authenticate at all. It will be rejected to connect to the network. It would be possible to implement a way to tag a machine MAC address with an invalid certificate with a custom attribute in the Endpoints repository and utilize this attribute in a following MAC authentication to place the host on a quarantine network with a captive portal information page for example. It's not a "basic" configuration and processing in ClearPass. Retrieving a new certificate may be useful for this type of machines. If you allow this opening or not is up to you.
• Machine account is not member of a given AD group. In this case the machine still have a valid certificate, and this can be utilized for the authentication. During Authorization the missing AD group can force the client to a quarantine network with an information captive portal for this situation. A group membership can't be changed by the machine and must be updated by an administrator or other function.
• In both cases enforcements to either send email or trigger integrations with ticketing systems can be implemented.

I would say the most common way is to just reject the connection, and the user will call helpdesk and get the connectivity issue registered in a ticket for troubleshooting

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Aug 18, 2025 01:33 AM
From: KemPetFi
Subject: Clearpass and new client computers

We are about to implement access control. Machines are authenticated based on the AD group and machine certificate. Necessary Group Policies need to be applied to the machine based on the group. If a machine is missing a certificate or the required AD group, what is the best way to deploy this? What options are there? We have currently resolved this so that such machines drop into a network that has access to DC machines and can retrieve Group Policies and certificates through that. Another option would be to block these connections and move the machine to a place where AD connections are allowed. Or the switch port could be temporarily changed to a network where AD connection is allowed. From a security perspective, it would likely be best if there were no AD connections unless we are sure about the workstation. How have you implemented this? Is there a commonly used method for this? I would appreciate options. I hope I managed to describe the issue clearly and that you understand what I am aiming for. :)

-------------------------------------------