Figure 8-4: Enabling Machine Authentication On Windows Zero-Config - ADTRAN BlueSecure Controller Setup And Administration Manual

Alternatively, as with network services, destinations, and schedules, you can use the
Create... option to define a new user location or group.To set up a location or group,
see "Creating Locations and Location Groups" on page 8-19.
Optional. Use the commands included in the Row Management drop-down list to
6.
change the order of policies, add new blank policy records, clear policy data, or
delete a policy, etc. Remember, the BSC evaluates policies in the order in which they
are listed here on the role definition page.
Enable role inheritance for this role by selecting a role from the Inherit from role drop-
7.
down list.
After the BSC has checked each policy, it is possible that a requested network service
(or service group), destination (or destination group), direction, schedule (or schedule
group), and location (or location group) might not match any of the criteria specified.
Enable role inheritance to continue checking policies in another existing role for a
match.
As with network services, destinations, schedules, locations, and groups, you can use
the Create... option in the drop-down list to define a new inherited role. See "Role
Inheritance" on page 8-3 for more information.
Enforce Two-Factor Authentication: Before 6.5, machine and user authentication were two
Machine separate processes. Users could skip the machine authentication, and still be
Authentication authenticated against the domain based on the user credentials. From a security
Role perspective, allowing users to only authenticate from domain machines adds an extra
layer of security. Even if a password is compromised, a would-be thief or attacker could
not gain access to the network unless a domain device was also stolen.
BSC Implementation: With machine authentication the successfully authenticated
endpoint will show in the connection table as "host/machine_name.domain_name"
placed into a designated role for domain machines. If the BSC sees a successful user
authentication, the BSC checks if this PC was already in the designated "domain
machines" role. If it was, the PC will get the correct User role. If not, the user will get
Unregistered Role. The BSC requires the user of Transparent 802.1x with machine
authentication as the user must directly authenticate the machine to the Radius server.
Client Configuration: The client should configure 802.1x normally, then click the
following box under the Wireless Properties:
BSC Configuration
Create a Domain Machines Role – this is the role to place a device authenticated via
1.
machine
2. Create a Corporate Role – this is the role to place the machine device into after user
auth
Configure the Corporate Role to require the user to be in the Machine Role before
3.
login:
BlueSecure™ Controller Setup and Administration Guide
Figure 8-4: Enabling Machine Authentication on Windows Zero-Config Supplicant
Defining a Role
8-7