IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Computer account issue in IMC/UAM for 802.1x authentication

 
SOLVED
Go to solution
spag
Occasional Advisor

Computer account issue in IMC/UAM for 802.1x authentication

Hi,

 

I want migrate a PCM+/IDM 4.2 by a IMC/UAM 7.0 but i have a problem for the computer authentication.

 

The user account is synchronized by the custumer active directory, and i use the eap-peap for the authentication, this is ok, it's work well, no problem.

 

But i do also authenticated the computer, but when i syncrhonize with the AD (cn=computer), i import the name of the computer same as a simple user.

And the machine authentication don't work, because this is seen as a user authentication without password...

 

When i manuelly created a user account with the computer option check box, it's ok the machine authentication work well.

i can't create all computer account, because they are a lot of computer.

 

How i can do, when i import the computer name by the AD, for change the account type by computer account in IMC/UAM?

I tried to import a file with the batch function, but it's create user account, it's not possible to create computer account...

 

Thanks a lot.

 

PS: with the PCM+/IDM, i don't have the problem and i don't use EAP-TLS.

 

 

11 REPLIES
Lynn-Marie
Neighborhood Admin

Re: Computer account issue in IMC/UAM for 802.1x authentication

Hi,

 

I will ask a few experts and see what they recommend...stay tuned. :)

 

LM

spag
Occasional Advisor

Re: Computer account issue in IMC/UAM for 802.1x authentication

Thank you very much, this is very nice! :-)

 

NeilR
Respected Contributor

Re: Computer account issue in IMC/UAM for 802.1x authentication

I had this very same problem, so curious to hear another answer/opinion on this - I was on the phone with HP as we tried to work through this but couldn't get them to sycnhronize and authenticate by LDAP.

 

Here's what I tried:

 

Need to set up an ldap synch for hosts. Which means you need a filter condition like this:

 

(&(objectclass=computer)(dNSHostName=*)(accountExpires>=now))

 

because workstations look different in LDAP. Then I created a policy using eap-peap/mschapv2. Because hosts come across as host/<hostname.domain.net> or whatever your domain is - and yes the slash is the other way from domain\user, so unclear as whether the prefix filters work properly - and you need a suffix in a service to use the policy.

 

For whatever reason the above, which looks like it should work, did not authenticate. In PCM its all MS NPS, so it reads AD fine for users and workstations. But in LDAP the credentials work differently for hosts. Maybe I got the certificate type wrong.

 

I could only get the imc computer user to work. I really just need to make sure the trusted machines do authenticate, so it can connect users to domain controllers. And I can remote into them. You may  have additional requirements.

 

But sounds like you already tried this:

 

Set up the computer account. Create a PEAP service for it, point to an EAP-PEAP policy.

 

Then configure the virtual computer in IMC User>User Access Policy >Service Parameters> System Settings>Domain Controller-Assisted PEAP Authentication.

 

The workstations show up in online users as Account Name: computer, Login Name: <hostname>, Username: computer, so you can at least see them as separate line items and track them. But not as separate "accounts"

 

And only one domain is supported...

 

 

 

 

spag
Occasional Advisor

Re: Computer account issue in IMC/UAM for 802.1x authentication

This is exactly what I tried, but the computer can't to be authenticate....

NeilR
Respected Contributor

Re: Computer account issue in IMC/UAM for 802.1x authentication

I have these settings for adapater 802.1x:

 

Auth method: Microsoft EAP (PEAP)  

> Settings: Validate server certifiacte checked - Trusted root cert auth checked - your windows domain checked (would not work without this set - with PCM I left validate cert unchecked and it worked ok)

 

> Auth method secured password EAP mschapv2 > configure use my windows credentials is checked, enable fast reconnect checked

 

Advanced settings > Specify auth mode > user or computer authentication

 

Also maybe you missed this step:

 

User>User Access Policy>Service Parameters>Certificate > Root Certificate > import EAP root certificate your domain root certificate - I think the virtual computer needs this as well as validate above to match

 

If screen shots would help let me know and I'll upload...

spag
Occasional Advisor

Re: Computer account issue in IMC/UAM for 802.1x authentication

NeilR thank you,


My goal is to make no change in configuration of computers. But I see that it is not possible to make authentication machine without certificate.
Can you send me the screen shots, configuration with certificate authentication machine?

Thank you.

 

 

PS: I don't missed this step: User>User Access Policy>Service Parameters>Certificate > Root Certificate > import EAP root certificate your domain root certificate - I think the virtual computer needs this as well as validate above to match.

 

PS: The Auth method secured password EAP mschapv2 for AD's user account, works well.

 

NeilR
Respected Contributor
Solution

Re: Computer account issue in IMC/UAM for 802.1x authentication

I agree with goal to minimize configuration change on computers. My goal also.

 

But you will need to make 802.1x settings active. 

 

These changes can easily be set, and enforced, by a Windows Policy Object in the Active Directory, set by OU

 

Users can be prohibted from changes if desired.

 

The attached PDF shows the client adapter setup, UAM user configuration, UAM service and policy configurations, and access details for user and computer, and telnet session to switch.

 

I am using Procurve 2910 series switches with recent firmware. 

 

Update: Added screen shots of AD CA - I think they are pretty generic

 

 

spag
Occasional Advisor

Re: Computer account issue in IMC/UAM for 802.1x authentication

Thanks a lot NeilR.

Re: Computer account issue in IMC/UAM for 802.1x authentication

Hi Neil!

 

Thanks for your Infos!!!

 

Can you please send us the LDAP Server and LDAP Sync Policy Setup Info’s. I wonder because the machine account in your example was named just "Computer" for the User Name, ID Number and Account Name... So you have a lot of Computer Users in your User List? I mean the Accounts looks all the same?

 

I used UAM 7.1 and the machine user looks very different in our case... Does not work right now either. Struggle with the MSCHAPv2 Certificate verification against the MS AD.

 

I heard that only EAP-TLS-AuthN (with Client Certs) is supported and works and wonder how this can work for you? 

 

Thanks a lot!

Andreas

 

 

NeilR
Respected Contributor

Re: Computer account issue in IMC/UAM for 802.1x authentication

Glad to help. I have posted 2 docs one with LDAP setup and one with computer account setup. 

 

Computer account is a built in user, so one username handles all computer, with separate login names. A screen shot in computer account doc shows this.

 

LDAP synchs only users not computers. The  virtual computer proxies authentication I beleive to AD.

 

All examples in HP documents show only certificate option - maybe they prefer us to use them ;)

 

But if the network adapater configuration is I describe eralier with both user and computer authentication set, then pick EAP-PEAP not TLS and this will work. 

 

Hope all this helps

Re: Computer account issue in IMC/UAM for 802.1x authentication

THANKS Neil!!!

 

Now I see clear. I have to add this one Computer Account and this one handles (over the MSCHAPv2 Server) all the machine auth requests in my NW... It's not necessary to import or sync the machine accounts from the MS AD Server as it is a must for "normal" User Accounts.

 

Interesting design :-|

 

Thanks for the Screen Shots!!!

 

Andreas