02-04-2013 02:48 PM
I have a customer using Instant APs for their WLAN and Windows 2008 R2 Enterprise with NPS for dot 1x authentication of their clients.
The customer is experiencing issues with their domain joined laptops changing authentication state while they are working on them. This is causing an issue because they will go from 1x authenticated (machine & user) to only user authenticated which places them into a different role than what they were previously. The role they fall into, role B, does not have the same network access as their previous role, role A. Because of this change of roles they lose access to exchange, application servers and other resources role B is denied access to.
Since the customer is on Instant I don' thave the same type of user debug as I do on the controller so I cannot follow the changes that are happening on a particular wireless client. The NPS logs so far have not provided any clue to this issue. I have confirmed that the COA option for the RADIUS server is disabled so that if NPS is sending change of auth messages the Instant VC will not act on them.
This is not an issue with a machine going into sleep or hibernation and then coming out of a suspended state and only processing user authentication. I have been actively remoted into one of the client machines and have watched in the Instant Virtual Controller the client going from role A to role B while I am working on it.
If the client logs off the session or reboots the machine it goes through machine and user authentication properly and they get role A. Eventually though they will fall into role B out of the blue. There does not seem to be a rhyme or reason to when or why this happens.
Anyone have any clues on this...? I have not run into this issue before and hope someone can shed some light on it.
I am forgoing for now opening a ticket with TAC since I believe this to be MS issue not an Aruba issue. We have updated to latest Instant code 6.2 just in case that was the issue but it did not make a difference.
Any assistance is appreciated.
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP
02-05-2013 04:34 AM
Please open the ticket.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs