05-03-2011 02:37 PM
The current setup for our corporate VAP is a server group with one RADIUS server located centrally. This works fine, but I would like to eliminate traffic traversing our WAN links when possible. I would like to use the local domain controllers on site with RADIUS - so users on the local controllers will use local RADIUS for authentication.
I've been looking at server group match rules on the authstring, which will probably work for machine auth because each of the school machines begin with a unique string for that site. However, for user auth we use one single domain and the authstring would not contain anything unique per site.
Does anyone know if there's a way to specify a RADIUS server be used per local controller, or per subnet?
05-03-2011 02:47 PM
You would have to create a new virtual AP, which under it would have a new AAA profile (which would contain a different server group) and the same SSID profile.
05-04-2011 11:43 AM
05-04-2011 01:02 PM
05-12-2011 10:34 AM
I have implemented a second VAP for that site and it's working fine.
Unfortunately, it hasn't solved my issues which I thought may be latency related. I'm getting tons of problems with the authentication delay between machine auth and user auth. Group policies for folder redirection and drive mappings are failing consistently in our schools. I've turned on RAS tracing and verbose userenv logging trying to troubleshoot this. I drop about 4 pings and that's when Windows is trying to complete user authentication. The Netlogon service and RADIUS authentication are oblivious to each other - sometimes they go in the right order - but often they don't.
I've tried various reg keys and GPO tweaks including "Always wait for network at computer startup and logon" and "Wait for remote user profile", setting GroupPolicyMinTransferRate to 0, adding GpNetworkStartTimeoutPolicyValue with various values starting at 60 but I can consistently get failures stating Network Path not found or folder not accessible. I can't blame this all on roaming profiles because even without them I get GPO failures for folder redirection.
Does anyone have experience making 802.1x work properly with Windows in a domain environment with wireless? Is it a weird combination of offline files, roaming profiles, and folder redirection that we're doing that makes us unique?
I am switching Aruba roles and enforcing machine auth - but I had these same Windows problems before I did that so I know it's not related. I'm not switching VLANs - just role. I can visually see the wireless system tray icon disconnect and then reconnect when the deskop appears. I may try the reg key to disable meda sensing on logon next - because none of the GPO timers or delays I'm trying seem to work. I should state that these issues manifest themselves during logon after an initial boot. If a machine is already on and someone has logged in, then logged out, it doesn't seem to fail on subsequent logons (or at least - much less frequently).
Apologies if this should be a separate thread.
05-12-2011 01:59 PM
05-12-2011 03:33 PM
In the GPO, on the IEEE 802.1X tab I changed from User or Computer authentication to Computer only. On the PEAP settings for MSCHAP v2 I unchecked "Automatically use my Windows logon name and password".
The RADIUS server now only does the machine authentication - when a valid user in AD logs in there is no additional RADIUS authentication. From the Aruba controller side, I see the user remain with an 802.1x-MachineAuth role and they show up as Host\Machinename. That is obviously a downside to this method - but it's not like I couldn't find out who is logged onto a machine using psloggedon or other tools.
As long as the 802.1x-MachineAuth role has the same rights as the 802.1x-FullAuth role - the user wouldn't see any difference. The roaming profile and folder redirection seems to work 100% now - the wireless icon never changes and I only drop 1 ping on logon. Users will still need valid AD credentials to sign in.
Can you think of any other downsides or caveats to this approach?
05-13-2011 12:27 AM
On the GPO, turn back on User and Computer Authentication
Make Sure that the Enforce Machine Authentication Machine Only role has an "allowall" policy.
The Machine Only role should be able to be allowed to do anything, because it pretty much represents a computer at the ctrl-alt-delete screen that needs to do background registration, etc. If you do not make this an allowall policy, you WILL run into issues like the one you mention.
05-13-2011 08:01 AM
The one thing I haven't tested in the GPO is turning back on User and Computer Authentication and keeping the PEAP settings the same without the checkbox for "Automatically use my Windows logon name and password". But I'm not sure what I would gain from doing that - may I ask why you would advise that?
If this solves all of my issues with roaming profiles not being able to be reached, desktops not accesible, and GPOs not firing - I'll live with the lack of visibility from a wireless controller perspective.
05-14-2011 04:27 AM
"Automatically use my Windows logon name and password" allows the computer to automatically submit the username and password of the user trying to login
"Authenticate as computer when computer information is available" allows the machine to login with host/
"Enforce Machine Authentication" on the Aruba Controller is not necessary and should be turned off.
Please consult Appendix D of the ArubaOS user guide which will tell you exactly how to configure Microsoft Windows Server AND Microsoft Clients for full functionality.