ArubaOS and Controllers

Reply
Occasional Contributor II

Machine Authentication Cache Timeout

I have 2 SSIDs, one open, one using 802.1x. The 802.1x requires both machine-auth and user-auth.

The problem is that users moving from the open SSID to the 802.1x SSID find themselves occasionally with a 169.x IP which is caused by a timed out DHCP request which is caused (as far as I can tell) by the client not properly re-authenticating itself. Restarting the computer fixes the problem (release/renewing IP and repairing the connection do not help) as this restarts the 802.1x auth process.

I suspect this is linked to the Machine Authentication Cache Timeout setting on the Aruba controller, which is by default set to 24 hrs, as the issue appears to happen when users connect first with 802.1x and then move over to the open SSID for awhile (24 hrs?) and then try to move back to the 802.1x.

From what I can see, when the client associates with the 802.1x SSID an entry is placed in the Machine Auth Cache (show userdb-table). However, switching over to an open SSID does NOT remove the 802.1x entry. Thus the machine-auth info expires, the user goes to re-authenticate but is only passing the user-auth info now and is thus not re-authenticated.

Am I correct in that with 802.1x machine-auth is ONLY passed at login and then user-auth is solely used afterwards?

Is there a way to either clear the Machine Auth Cache or force the full 802.1x process without restarting or any other suggestions?
Guru Elite

Machine Authentication Cache

Ether,

My guess is that your user's Machine Authentication State is timing out because the "Machine Authentication Cache" in the 802.1x profile is not long enough. If a user's laptop does not stop at the ctrl-alt-delete screen once every "Machine Authentication Cache" interval (usually 24 hours), the next time they authenticate, Aruba will assume that it is not a domain PC. Increase the Machine Authentication Cache Interval to something like 72 hours and see if your issue goes away.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Thanks for the quick reply

I would like to avoid increasing the 24hr period for various reasons (mainly in case the laptop walks as the machine will then still be authenticated).

Any way to clear that machine-auth state from Aruba?
Guru Elite

If the machine walks

The user STILL has to authenticate for the machine to work. If it passes machine auth, but fails user auth, it doesn't get onto the network. If a machine passes machine auth, then it walks, the user STILL has to have either cached or domain credentials to get into the machine if it is offsite. If you have a policy where the screen locks, then the person who steals it still has to know a username and password that is cached. Windows XP/Vista protection mechanisms are still in effect. Enforce machine authentication only allows you to determine if a machine is a domain machine when it logs onto your network wirelessly. The machine state clears after 24 hours, which is what creates your issue. Enforce machine authentication does not allow a person to skip user authentication.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Thanks cjoseph

I turned on logging for my test client (logging level debugging user-debug MAC) and then checked the auth log (show auth-tracebuf). Here's the result. You can see where the machine-auth fails:

May 11 09:20:03 station-down * (client mac) (server mac) - -
May 11 09:20:07 station-up * (client mac) (server mac) - - wpa2 aes
May 11 09:20:07 station-data-ready * 16 -
May 11 09:20:07 wpa2-key1 <- (client mac) (server mac) - 117
May 11 09:20:07 eap-start -> (client mac) (server mac) - -
May 11 09:20:07 eap-id-req <- (client mac) (server mac) 2 5
May 11 09:20:07 eap-id-resp -> (client mac) (server mac) 2 21 (domain\username)
May 11 09:20:07 rad-req -> (client mac) (server mac) 19 212
May 11 09:20:07 rad-resp <- (client mac) (server mac) 19 77
May 11 09:20:07 eap-req <- (client mac) (server mac) 3 6
May 11 09:20:07 eap-resp -> (client mac) (server mac) 3 112
May 11 09:20:07 rad-req -> (client mac) (server mac) 20 328
May 11 09:20:07 rad-resp <- (client mac) (server mac) 20 203
May 11 09:20:07 eap-req <- (client mac) (server mac) 4 132
May 11 09:20:07 eap-resp -> (client mac) (server mac) 4 53
May 11 09:20:07 rad-req -> (client mac) (server mac) 21 269
May 11 09:20:07 rad-resp <- (client mac) (server mac) 21 109
May 11 09:20:07 eap-req <- (client mac) (server mac) 7 38
May 11 09:20:07 eap-resp -> (client mac) (server mac) 7 38
May 11 09:20:07 rad-req -> (client mac) (server mac) 22 254
May 11 09:20:07 rad-accept <- (client mac) (server mac) 22 228
May 11 09:20:07 eap-success <- (client mac) (server mac) 8 4
May 11 09:20:07 station-data-ready * (client mac) 00:00:00:00:00:00 16 -
May 11 09:20:07 m-auth req * (client mac) (server mac) - -
May 11 09:20:07 station-data-ready * (client mac) 00:00:00:00:00:00 16 -
May 11 09:20:07 m-auth resp * (client mac) (server mac) - - failed
May 11 09:20:07 wpa2-key1 <- (client mac) (server mac) - 117
May 11 09:20:07 wpa2-key2 -> (client mac) (server mac) - 119
May 11 09:20:07 wpa2-key3 <- (client mac) (server mac) - 151
May 11 09:20:07 wpa2-key4 -> - 95

I've found a good article on the XP 802.1x process and relevant reg keys here: http://technet.microsoft.com/en-us/library/cc755892.aspx. It looks like my options are 1) machine-auth at logon and then user-auth only from then on 2) machine-auth only or 3) increasing the machine-auth age timer on Aruba.
Guru Elite

Machine Authentication

Ether,
What does the radius server say when this client fails authentication? The Aruba controller is merely repeating what it got back from your radius server. What does your radius server say when the machine fails? This portion of the authentication is not influenced by the Aruba controller.

In addition, the registry key that you mention will make it so that the computer ONLY sends the machine credentials, or ONLY sends the user credentials. It really should not be changed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: