Specifications

ManualsBrandsADTRAN ManualsComputer equipmentBlueSecure Controller

151

152

153

154

155

156

157

158

159

160

Defining a Role

BlueSecure™ Controller Setup and Administration Guide 8-7

Alternatively, as with network services, destinations, and schedules, you can use the

Create… option to define a new user location or group.To set up a location or group,

see “Creating Locations and Location Groups” on page 8-19.

6. Optional. Use the commands included in the Row Management drop-down list to

change the order of policies, add new blank policy records, clear policy data, or

delete a policy, etc. Remember, the BSC evaluates policies in the order in which they

are listed here on the role definition page.

7. Enable role inheritance for this role by selecting a role from the Inherit from role drop-

down list.

After the BSC has checked each policy, it is possible that a requested network service

(or service group), destination (or destination group), direction, schedule (or schedule

group), and location (or location group) might not match any of the criteria specified.

Enable role inheritance to continue checking policies in another existing role for a

match.

As with network services, destinations, schedules, locations, and groups, you can use

the Create… option in the drop-down list to define a new inherited role. See “Role

Inheritance” on page 8-3 for more information.

Enforce

Machine

Authentication

Role

Two-Factor Authentication: Before 6.5, machine and user authentication were two

separate processes. Users could skip the machine authentication, and still be

authenticated against the domain based on the user credentials. From a security

perspective, allowing users to only authenticate from domain machines adds an extra

layer of security. Even if a password is compromised, a would-be thief or attacker could

not gain access to the network unless a domain device was also stolen.

BSC Implementation: With machine authentication the successfully authenticated

endpoint will show in the connection table as "host/machine_name.domain_name"

placed into a designated role for domain machines. If the BSC sees a successful user

authentication, the BSC checks if this PC was already in the designated "domain

machines" role. If it was, the PC will get the correct User role. If not, the user will get

Unregistered Role. The BSC requires the user of Transparent 802.1x with machine

authentication as the user must directly authenticate the machine to the Radius server.

Client Configuration: The client should configure 802.1x normally, then click the

following box under the Wireless Properties:

BSC Configuration

1. Create a Domain Machines Role – this is the role to place a device authenticated via

machine

2. Create a Corporate Role – this is the role to place the machine device into after user

auth

3. Configure the Corporate Role to require the user to be in the Machine Role before

Figure 8-4: Enabling Machine Authentication on Windows Zero-Config Supplicant