ArubaOS and Controllers

Reply
Contributor I
Posts: 22
Registered: ‎01-20-2011

Machine authentication and network drive mappings or GP application

About a month ago, we managed to integrate authentication with our newly installed AD. That has been working great (minus the hiccup with the expiration of the cert on the controllers) for more than a month now. What we are experiencing now is that users of laptops are not having their drives mapped when they log on. They seem to log on using cached credentials initially, then they log on to the wireless LAN after that automatically using their Windows credentials. I've been playing around with different settings on the controller and in our RADIUS server, but I can't seem to get machine authentication to work.

Here is a run down of what I've done so far:

I've created a second policy in NPS to allow the machine group of domain computers to access the wireless. At first I tried adding this to the same policy to allow domain users, but it would always fail--so this may be where my problem is.

I disabled termination on the controller. I had a server group comprised of the internal server and our radius server before. I had to remove the internal server from the group to disable termination.

I've toggled enforce machine authentication on and off throughout my testing.

My questions are:

1) Is machine authentication what I need to allow users to login on a computer that may not have a profile on it (from a previously wired connection)?
2) Will machine authentication let the laptop connect to the network and then allow network drives to map once the user logon is processed?
3) What am I doing wrong? Haha.

Any direction that will help is greatly appreciated.
Mark
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Machine authentication and network drive mappings or GP application


About a month ago, we managed to integrate authentication with our newly installed AD. That has been working great (minus the hiccup with the expiration of the cert on the controllers) for more than a month now. What we are experiencing now is that users of laptops are not having their drives mapped when they log on. They seem to log on using cached credentials initially, then they log on to the wireless LAN after that automatically using their Windows credentials. I've been playing around with different settings on the controller and in our RADIUS server, but I can't seem to get machine authentication to work.

Here is a run down of what I've done so far:

I've created a second policy in NPS to allow the machine group of domain computers to access the wireless. At first I tried adding this to the same policy to allow domain users, but it would always fail--so this may be where my problem is.

I disabled termination on the controller. I had a server group comprised of the internal server and our radius server before. I had to remove the internal server from the group to disable termination.

I've toggled enforce machine authentication on and off throughout my testing.

My questions are:

1) Is machine authentication what I need to allow users to login on a computer that may not have a profile on it (from a previously wired connection)?
2) Will machine authentication let the laptop connect to the network and then allow network drives to map once the user logon is processed?
3) What am I doing wrong? Haha.

Any direction that will help is greatly appreciated.
Mark




1. Create a remote access policy on IAS/NPS that allows the "Domain Computers" group to login. Make sure the PEAP settings, as well as the certificate for your radius server is in the Remote Access Policy.
2. On the Wireless config for your laptops, make sure "Authenticate as computer when computer information is available" is checked.
3. Disable termination.



Logoff the computer and look at the user table to make sure that host/ has logged into the network.

If that does not work, look in the eventviewer of the Windows IAS/NPS server to see why the user failed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎01-20-2011

Re: Machine authentication and network drive mappings or GP application

Thanks Colin!

I went back through what I had done and most was set already. I wasn't sure where the cert is supposed to go in the policy, but I believe we have the CA cert, which is our own cert, so I think we are ok there. I already had termination disabled, so good there. What happened is that group policy was changed so that computer authentication was not being used. After testing with it turned back on, I think we are in business to try out for our users.

One other thing I changed is the default role for machine authentication. I changed both to authenticated from their default of guest. That sped up logins considerably for us.

Thanks again for your help.
Mark
Contributor I
Posts: 22
Registered: ‎01-20-2011

Re: Machine authentication and network drive mappings or GP application

I've been watching clients connect for the last hour or so. I was poking around and happened to look at the internal database, and it has several "users" added to it now that weren't there before today. The user names are the MAC addresses of machines that have machine/computer authenticated this afternoon. Is this normal behavior? Thanks!
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Machine authentication and network drive mappings or GP application

Mark - yes, that is normal. When a client successfully passes machine authentication, the MAC address is added to the internal DB for the length of the cache timeout. When the MAC address exists, machine auth is not checked against AD. When the MAC address doesn't exist, the machine auth request is forwarded to AD.

This also helps when clients dont login/logout in a timely manner. Machine auth is only performed by Windows on login/logout. So, if the client attempts to connect to the WLAN (outside of a Windows login/logout) and machine auth is enforced, it is a good thing to have the MAC cached in the DB.
Search Airheads
Showing results for 
Search instead for 
Did you mean: