Education

Reply
Occasional Contributor I
Posts: 6
Registered: ‎09-17-2007

Radius machine authentication

I have several groups of laptops that I need to allow on my 802.1X network. I can see that the machine is Authenticating via the Radius logs, but when a user tries to login they get a message that the domain can not be found. If they are a cached user, they will authenticate to the RADIUS server but into the machine via their cached credentitals.
These are College owned laptops that we allow for student use. I want them to be able to login, but have the machine use the 802.1X network.
Basically I need the machines to pre-connect to the Aruba wireless before processing Windows login attempts.
Am I missing something obvious?
New Contributor
Posts: 1
Registered: ‎10-26-2009

Re: Radius machine authentication

I am curious to see if anyone has an answer to this question as well. I am also having a similar issue. I am trying to run a batch script during the login process that is on the server but on wireless, it doesn't connect to the domain so it will not run the script. This is vital because teachers need to have access to certain drives on login. The script works fine when hooked up wired, but wirelessly it does not. Even when using the gpedit and forcing a connection on login as I have seen around in the forums, it doesn't solve the issue. Is there anyway to authenticate wirelessly BEFORE logging on at all?
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Machine Auth




Do you already have Machine authentication configured on your IAS server?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎10-15-2009

Re: Radius machine authentication

I'm not sure how your setup is but I have the setup working. I have machines that are successfully doing machine authentication upon boot up and then once the user logs in the login script still runs and my drives are mapped. Do you have a different policy used for machine only authentication than you do from user only or machine+user authenitication?

In our configuration, the machine only policy gets access to DHCP/DNS/Active Directory services and not much else. The user only policy gets only HTTP/HTTPS. Only when both machine auth and user auth are both successful do they get full access to our internal network. I only bring this up because I wonder if it's a firewall setting or something similar.
Occasional Contributor II
Posts: 10
Registered: ‎04-12-2007

Re: Radius machine authentication

I haven't done any "machine authentication", but can't you just drop the IP address of your domain controllers/servers in your 802.1x initial "Logon-Role", and allow the machines access to those boxes before and after auth.

We had a similar scenario (but with captive portal), and allowing access to the domain controllers in the logon-role fixed that right up.
Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Machine auth for non-domain members in IAS?


I'm not sure how your setup is but I have the setup working. I have machines that are successfully doing machine authentication upon boot up and then once the user logs in the login script still runs and my drives are mapped. Do you have a different policy used for machine only authentication than you do from user only or machine+user authenitication?

In our configuration, the machine only policy gets access to DHCP/DNS/Active Directory services and not much else. The user only policy gets only HTTP/HTTPS. Only when both machine auth and user auth are both successful do they get full access to our internal network. I only bring this up because I wonder if it's a firewall setting or something similar.




We're in testing phase with our campus LAN and have a similar issue, with a bit of a twist:

I have dot1x auth working against IAS, and providing machine, machine+user or user auth on various devices just fine. Here is what we need to accomplish:

1. Domain Computers - machine+user auth = vlan/role for full internal access
2. non-domain computers/iphones, etc - user auth only, but I need to place users in different VLANs based on the response from the radius server. I see the response in debug logs, but only the default user role is ever used, with no option to change the vlan. Is there another way to put user only auths in different vlans based on group memberships?

I can't see a way to return valid machine auth for a non-domain computer or device in IAS.
====
This is documented here:

http://airheads.arubanetworks.com/article/configuring-machine-authentication-part-2

Users are assigned different roles depending on how they authenticate:

* 802.1x_machine_default role when machine authentication succeeds and user authentication fails
* 802.1x_user_default role when user authentication succeeds and machine authentication fails
* 802.1x_fully_authenticated when both machine and user authentication succeeds.
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Radius machine authentication

For #2, hardcode a vlan in the user-only role and they will be switched to that vlan.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Re: Radius machine authentication




The problem is that only one VLAN can be used - the article states that without machine auth, only the default user role will be used. I need the ability to use several different VLANs based on user auth results only. ie: 5 different AD groups each will get a different VLAN. I can get different roles now with captive portal, but changing VLANs in captive portal is not feasible.

I'm hoping the article is incorrect, and there is a way to do this. We need to be able to place dot1x users in different VLANs so we can apply various proxy ACLs, different SRC NAT parameters, etc.

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Number of Users


The problem is that only one VLAN can be used - the article states that without machine auth, only the default user role will be used. I need the ability to use several different VLANs based on user auth results only. ie: 5 different AD groups each will get a different VLAN. I can get different roles now with captive portal, but changing VLANs in captive portal is not feasible.

I'm hoping the article is incorrect, and there is a way to do this. We need to be able to place dot1x users in different VLANs so we can apply various proxy ACLs, different SRC NAT parameters, etc.




Only if users pass BOTH machine and user authentication, will putting different users in different roles or VLANs even occur. What I was discussing above is how to treat users that pass only user authentication.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Re: Radius machine authentication




That's what I thought. So is there any way to allow IAS machine auth to always pass, but simply return a different result code back to the Aruba controller that would indicate if the machine is a domain member or not?

Assuming IAS can be somehow setup to always allow machine auth to pass, will the Aruba controller do something with the machine auth result *and* the user auth result? Or is it simply machine auth = pass/fail, followed by user auth role selection only if machine auth=pass?

I realize this still leaves out devices that simply can't or won't do machine auth.

We have a fairly complex set of rules built up over 10 years enforced by a Cisco Cat6000 (using VMPS dynamic VLANs on wired ports) and *many* proxy ACLs, so we need to reproduce these on wireless as closely as possible.

Search Airheads
Showing results for 
Search instead for 
Did you mean: