ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 9
Registered: ‎05-11-2007

Issue wih Machine Authentication/Role Assignment

I have run into an issue with the way that Aruba handles machine authentication and I wanted to post it on the forum to see what others think.

I have a number of Faculty and Students connecting to one SSID using 802.1x. I have had to enable machine authentication for some of the faculty machines so they will work properly with Microsoft. This part of machine authentication works great and I can assign roles to these machines based on returned radius attributes.

The problem is that the remaining machines like apples and student machines get dropped in the machine authentication "fail role" overriding any role that I try to set. I have run into a number of problems that could be solved using Role assignment (example: assigning apple users to one vlan so mdns works) but every time I run into this issue whereby the default overrides what I try to do.

It would be nice if there was a switch whereby I could override the forced behavior and assign a role overriding the default behavior. Very frustrating being stuck because I was forced into enabling machine authentication to support Microsoft but my other clients/OS's have to take a back seat as a result.

Would appreciate other comments in the hopes that something might be done about this.

Thanks

Stephen Holland
Network Engineer
Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

enforce machine authentication


I have run into an issue with the way that Aruba handles machine authentication and I wanted to post it on the forum to see what others think.

I have a number of Faculty and Students connecting to one SSID using 802.1x. I have had to enable machine authentication for some of the faculty machines so they will work properly with Microsoft. This part of machine authentication works great and I can assign roles to these machines based on returned radius attributes.

The problem is that the remaining machines like apples and student machines get dropped in the machine authentication "fail role" overriding any role that I try to set. I have run into a number of problems that could be solved using Role assignment (example: assigning apple users to one vlan so mdns works) but every time I run into this issue whereby the default overrides what I try to do.

It would be nice if there was a switch whereby I could override the forced behavior and assign a role overriding the default behavior. Very frustrating being stuck because I was forced into enabling machine authentication to support Microsoft but my other clients/OS's have to take a back seat as a result.

Would appreciate other comments in the hopes that something might be done about this.

Thanks

Stephen Holland
Network Engineer





You might want to look into the "enforce machine authentication" feature in ArubaOS. Please search for this in the user guide of whatever version of ArubaOS you are using to get some background.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎05-11-2007

Re: Issue wih Machine Authentication/Role Assignment

The problem starts when I "enforce machine authentication". Any device that fails machine authentication will be placed in Machine Authentication: Default User Role. There is no way to override this behavior with returned attributes. Shut off machine authentication and I'm able to assign roles regardless of machine authentication.

What I need to be able to do is assign roles to users who fail machine authentication (about 80% of my users).
Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Enforce Machine Authentication - DON'T

Ok,

So you are not the poster child for "Enforce Machine Authentication". Turn that feature off in the 802.1x profile. Rather, make sure that you have a remote access policy on your radius server, allowing machine authentication so that your users who subsequently login on domain machine will get a logon script (which you probably do already have). This should work for all devices, and then you can do role derivation on the actual users involved. As long as you are not switching any VLANs by hardcoding VLANs in roles, your role derivation rules should work for all devices.

I guess the magic question is, how are you treating users in different groups like Faculty and Students differently?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎05-11-2007

Re: Issue wih Machine Authentication/Role Assignment

I am the poster child for breaking things. No matter what feature a vendor offers I seem to be the one that finds the part that does not work ........

Thanks for the different approach. If I understand correctly the Aruba Controller is intercepting the result of the machine authentication and taking the appropriate action?. Therefore if I shut off enforce authentication the ACS server (machine auth already enabled) should take care of it.? If the aruba controller has enforce machine authentication disabled will it still cache machine auth credentials on the controllers based on the result from the radius servers?

I did have a situation where I wanted to put somebody in a different vlan to resolve an issue with MDNS (see my other post). What's the issue with switching vlan in a role. I have tried this in the lab and have not had a problem. Of course I did not have enforce machine authentication enabled.



On vacation this week. Look forward to playing with this when I get back to work.
Thanks so much for your insight on this.


Stephen Holland
Network Engineer
Northeastern University
Occasional Contributor I
Posts: 9
Registered: ‎05-11-2007

Will this timeout

I am finally getting around to testing machine authentication with "Enforce Machine Authentication" disabled as suggested in a previous post. I ran this by a local SE and he says that I will get into timeouts if I take this approach. Does anybody have any thoughts on this?.

Thanks so much

Steveh
Occasional Contributor I
Posts: 9
Registered: ‎05-11-2007

Will machine authentication timeout?

I am finally getting around to testing machine authentication with "Enforce Machine Authentication" disabled as suggested in a previous post. I ran this by a local SE and he says that I will get into timeouts if I take this approach. Does anybody have any thoughts on this?.

Thanks so much

Steveh
Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Timeouts?

If enforce is not on, we are just doing standard dot1x. What kind of timeouts was he referring to?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: