Did you configure User Authentication or Computer Authentication or both with PEAP/MSCHAPv2?
Please be informed that the use of MSCHAPv2 is strongly deprecated because the cryptographic algorithms have been broken.
If you use Computer or User/Computer authentication, you should see a [Machine Authenticated] role for users that are on a domain joined computer. If you want to do both User and Computer Authentication, for Windows 10/11 clients the use of TEAP may be the preferred route.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 20, 2023 11:52 AM
From: jdjackson@confergeone.com
Subject: CPPM Computer Domain Check
Hey Herman,
We are using PEAP with mschapv2 inner. So what I have done was set role mapping policy to
- verify that the domain name is in the distinguished name,
- verify the account expiration date is great than or equal to the current date.
- verify that it is using mschapv2 inner method
- the authentication error is = 0
Waiting for the client to test.
Is there a better way? Be nice if there was a attribute for being joined to a domain that we could set to true or false.
Maybe there is and I just overlooked it.
Joe Jackson
Data Center Engineer
931.409.7074
NOTICE: This email message and any attachments hereto may contain confidential
information. Any unauthorized review, use, disclosure, or distribution of such
information is prohibited. If you are not the intended recipient, please contact
the sender by reply email and destroy the original message and all copies of it.
Original Message:
Sent: 10/20/2023 9:26:00 AM
From: Herman Robers
Subject: RE: CPPM Computer Domain Check
Yes, if you perform computer authentication, you can look up the computer account in your Active Directory to determine if it is joined to the domain. On the other hand, if the computer is not joined to the domain, I would not see how it would authenticate as a computer.
You may need to elaborate a bit more on the exact use-case (authentication methods, user/computer authentication, wired/wireless/vpn) to get a better answer.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 19, 2023 03:18 PM
From: jdjackson@confergeone.com
Subject: CPPM Computer Domain Check
Is it possible to have ClearPass verify that a connecting computer is a joined member to the AD domain that is being used as the authentication source?