ArubaOS and Controllers

Reply
Contributor II
Posts: 56
Registered: ‎04-13-2009

802.1x Machine Authenication

I am having some issues setting up 802.1x correctly. Anytime a new user tries to login to the laptop they get the domain is not available. If that user has already been authenicated they use cached credientials and then everything works greate. When I get the domain is not available message i also see a message on the IAS server. User host/machinename(whatever the machine name is) has been denied. I don't think it is an aruba problem but I have been on the phone with Microsoft for 2 weeks so I figured I would try. Any help would be greatly appreciated. Thanks!
Aruba Employee
Posts: 77
Registered: ‎04-11-2007

802.1x Machine Authenication

It sounds like you have machine auth enabled under you aaa auth profile.


aaa authentication dot1x "test-dot1x-profile"
machine-authentication enable

What role is the user in when this happens? Does it say 802.1x-user or
802.1x-machine in the Auth field?

Gary
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: 802.1x Machine Authenication

Thanks. Right now If I look under the 802.1x Authenication Profile Enforce Machine Authenication is not checked. Should it be?

Also the Machine Authenication Default Machine Role is guest and so is the Default User role. Is this correct?

As far as I can tell. The Laptop doesn't show up at all under monitoring clients.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Denied due to lack of IAS policy

John,

Your "computers" are being denied due to the lack of a remote access policy permitting them to authenticate to IAS. On your IAS server there are "remote access policies" in the Internet Authentication Service. One policy probably allows domain users or a subset of that group to authenticate to wireless. You need to create a matching policy that allows the group "domain computers" as well.... that is why you're getting a failure message on your IAS server. Create it exactly like your user policy, except the permitted group is "domain computers".

This will allow you to have an IP dial tone, so that when your users login, the machine will be able to send out all the normal logon traffic that it does, just like when it is wired.

And by the way, don't put a check in "enforce machine authentication".... That will NOT help.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 43
Registered: ‎02-14-2008

Re: 802.1x Machine Authenication



And by the way, don't put a check in "enforce machine authentication".... That will NOT help.




Although not doing this means users can gain access with machines that are not domain members (such as iPhones).

I've just tested this and without enforcing machine auth, the radius server passes user auth and tells the Aruba OS to place the user into the employee role. This overrides any default machine roles.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Adding Remote Access Policy

Jason,

You are right. The "enforce machine authentication" is to deal with non-domain computers like iPhones, but it would not help with the "domain not available" situation, is what I meant to say.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: 802.1x Machine Authenication

Interesting. Thank you for all your replies. What I found out yesterday is what I had to do is put a check mark in the enforce machine authenication. (for some reason, I agree I shouldn't have to do that.) I also had to take termination off the controller as well. Once I did that I could see the user actually connect but then they still couldn't log in because it put the computer in the Guest role by default. I added some rules to allow for the user authenication and away it went. It now seems to work fine.

Kind of weird but at least it fixed the problem.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Ah...

John,

You did the right thing. "Machine" authentication does not work with Termination enabled. We should have asked you that....
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: 802.1x Machine Authenication

Excellent. That makes me at least feel better that I actually fixed it :)

Thanks for all the replies.
Search Airheads
Showing results for 
Search instead for 
Did you mean: