ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 8
Registered: ‎08-11-2011

Machine Auth Issue

Hi Folks,
I am having some trouble setting up machine auth and it is probably something simple I am over looking. I have ticked "enforce machine authentication" on the controller and created a separate IAS policy for domain computers. I've tried adding domain computers to the existing user policy also with the same result. When I connect I get the default user role from my .1x auth profile and don't see any attempts for the machine auth on the IAS server logs, pass or fail. So as I understand it, the roles given are below.

machine auth status user auth status
failed pass = default user role
pass fail = default machine role
pass pass = server derived role or initial role

So I am failing machine auth but there is no log record of it on the IAS log. Can anyone help on what I'm missing? Maybe something in IAS? This is on a 6000 controller running 3.4.4.0 fips.

Thanks
Frequent Contributor II
Posts: 104
Registered: ‎02-25-2011

Re: Machine Auth Issue

Hi,

You need to login to your PC to get the machine to authenticate, have you done that ?

what do you see in the "show dot1x macine-auth-table" on the controller ?
Occasional Contributor I
Posts: 8
Registered: ‎08-11-2011

Re: Machine Auth Issue

I mean I am on the PC and connecting to the wireless network in order to get the default user role so I am logged into it. Is that what you mean? I also don't see that command.

(Aruba6000) #show dot1x ?
ap-table Show 802.1X AP Table
counters Show 802.1X Counters
supplicant-info Show details about supplicant(s)
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Machine Auth Issue


Hi Folks,
I am having some trouble setting up machine auth and it is probably something simple I am over looking. I have ticked "enforce machine authentication" on the controller and created a separate IAS policy for domain computers. I've tried adding domain computers to the existing user policy also with the same result. When I connect I get the default user role from my .1x auth profile and don't see any attempts for the machine auth on the IAS server logs, pass or fail. So as I understand it, the roles given are below.

machine auth status user auth status
failed pass = default user role
pass fail = default machine role
pass pass = server derived role or initial role

So I am failing machine auth but there is no log record of it on the IAS log. Can anyone help on what I'm missing? Maybe something in IAS? This is on a 6000 controller running 3.4.4.0 fips.

Thanks




Let's get our definitions straight:

1. - Machine Authentication only involves the radius server and the client. It is what happens when you allow machines from the "Domain Computers" group to authenticate will a rule on the radius server and when you have "authenticate as computer when computer information is available" enabled on the wireless client. The "machine authentication" act only occurs at the ctrl-alt-delete screen. When a machine has authenticated, you should be able to see it on the Aruba controller in the user table as host/. It should get an ip address and be pingable, etc.

2. - Enforce machine authentication is an Aruba construct when enabled which allows us to put a device in different roles depending on whether machine authentication, users authentication, or both has taken place.

If you have IAS, you need to look in the "System" portion of the event viewer to see if the machine is passing or failing authentication.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 104
Registered: ‎02-25-2011

Re: Machine Auth Issue


I mean I am on the PC and connecting to the wireless network in order to get the default user role so I am logged into it. Is that what you mean? I also don't see that command.

(Aruba6000) #show dot1x ?
ap-table Show 802.1X AP Table
counters Show 802.1X Counters
supplicant-info Show details about supplicant(s)




I'm running 6.1.1.0 and I have the command:

show dot1x machine-auth-cache available to me. I can see the MAC addresses of the PC's that have been autheticated.

You must perform a full login whilst the PC is connected to the wireless, this will store the macines MAC in the controllers machine authentication table. Just ensure you are connected to the wi-fi then log out and log back in, this will perform a computer authentication.
Occasional Contributor I
Posts: 8
Registered: ‎08-11-2011

Re: Machine Auth Issue

Thanks folks. Connecting to the wireless, logging out and back in indeed performed a computer auth and gave me my server role as expected. My next question what is the easiest way to leverage this? We are doing MAC auth right now to keep non company machines off the wireless but we would like to get away from this. Are we supposed to tell our users to connect to the wireless, then log out and back in? Is that how this is usually handled?
Thanks
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Machine Auth Issue

The machine authentication is performed at the ctrl-alt-delete screen
The mac address of devices that passed machine authentication are added to the local user database for later
The "machine authentication cache timeout" parameter in the 802.1x profile under advanced (by default 24 hours) determines how long we cache this information. If you increase this to 168 (7*24), users will only have to stop at the ctrl alt delete once a week.
In other words, tweak this parameter to suit your needs and to manage your user population.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: