Reply
Contributor II
Posts: 56
Registered: ‎04-13-2009

802.1x

I have a weird problem that I am experiencing at one of my clients and I would like to see if anybody has any advice. I have a SSID that is secured with 802.1x with a MD5 Challenge. I allow them to login via Machine or User. What I am seeing is it logs in as a user and the user has a great experience. Then all of a sudden you will look at the PC (I am assuming some kind of timeout value) and it has low status and local or no connectivity. If you then look at the client you will see that it says it is authenicated as the machine and is on the authenicated role (Because that is what we chose and is what is supposed to do). However when you look at what AP it is connected to it say "N" which there is no AP named close to "N". Now the PC has a 169 address but the wireless controller thinks it has a real address. It is extremely frustrating and I am running out of ideas. I have enabled the reauthenication to see if this helps but other than that I am lost. Any help would be greatly appreciated.
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: 802.1x




Has this ever worked?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: 802.1x

It works for as long as the timeout period is. So the computer will work for say a full day and then it won't. After you reboot or just repair the wireless connection that fixes it. Then the computer logs in and is put in the 802.1X profile. Not machine and not user like it is suppossed to.

Does that make sense?
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: 802.1x

Yes,

You need to change the machine authentication cache timeout. When a computer successfully machine authenticates, a record is created in the local user database. By default, that record expires after 24 hours, so a machine has to end up at the ctrl-alt-delete screen to create that record again. If you type "show local-userdb" you will see the records that are created and when they expire. On the GUI, you can also see those records by going to configuration> security> Authentication> Internaldb

To change that You need to go into the 802.1x advanced settings:

Configuration> Security> Authentication> l2 authentication> 802.1x authentication profile

Select the 802.1x profile for your SSID and click on the advanced tab. Change the Machine Authentication Cache Timeout parameter from 24 hours to something higher, like a week, (168 hours) if you would like.

When you change that, you will be able to see when you look that devices will be in there for a weel.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: 802.1x

Excellent Thank you. I implemented today and should know if that fixed it in the next 24 to 48 hours. Thanks again!
Contributor II
Posts: 56
Registered: ‎04-13-2009

Re: 802.1x

I just found out that this didn't fix the problem. Same symptoms the computer logs in as a host and says its connected to Access Point "N". Do you think if I deny the computer in the radius server this could help my situation?
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: 802.1x

Let's go through this step by ste:

- Do you have "Enforce Machine Authentication" checked in the 802.1x profile?
- Wjat operating system are the devices?
= Do you see the successful authentication for the computer inthye radius server?
- Does the device get an ip address?
- Please take off reauthentication: This is not used most fo the time.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: