Security

Reply
Contributor II
Posts: 52
Registered: ‎03-07-2011

802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

[ Edited ]

Situation:

 

I need to get Machine Authentication working properly over wireless for a small subset of my clients to work properly.  We use WPA2 Enterprise authentication, and these clients are usually failing on boot with an error that they can't reach an AD server.

 

Hardware:

 

Aruba 3600 Controller (ArubaOS 5.0.3.3) - I do NOT have the PEF module

Aruba AP105 Access Points

Microsoft Windows 2008R2 NPS Server

Microsoft Windows 7 Enterprise Client

 

==================================

 

These things seem to randomly decide when they want to work.  Sometimes you'll boot and it will authenticate a non-cached user with no issue.  Others will fail miserably.  In the few things I've seen on the forums that have matched my situation, it looks like most everyone has the PEF-NG module, so I'm hoping this is not a requirement to allow machine auth.

 

Has anyone got this working?  It seems like voodoo magic to me at the moment... but I'm not an AD guy at all :-)

Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

PEF-NG is not required for machine authentication.  Having PEF-NG would allow you to place clients into different roles (with unique firewall policies) based upon AD security groups and to prevent users from connecting to your network with non-domain devices among other things.

 

Check the following:

 

1) Ensure that Termination is disabled in the 802.1X authentication profile

2) Verify that the remote access policy on NPS includes authentication from Domain Computers

3) Verify that the clients are configured to authenticate with machine credentials

4) Verify that the client has the public cert for the CA which issued a cert to the RADIUS server

 

If things still are not working, look at the NPS logs in event viewer and see what reason is given for clients that are rejected. 

Frequent Contributor I
Posts: 72
Registered: ‎09-19-2011

Re: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

[ Edited ]

Go through This Document . In my organisation also we did the same but we are having the PEF license.

Contributor II
Posts: 52
Registered: ‎03-07-2011

Re: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

[ Edited ]

xdrewpjx wrote:

 

Check the following:

 

1) Ensure that Termination is disabled in the 802.1X authentication profile

2) Verify that the remote access policy on NPS includes authentication from Domain Computers

3) Verify that the clients are configured to authenticate with machine credentials

4) Verify that the client has the public cert for the CA which issued a cert to the RADIUS server


I'm betting my problem is #2 here.  Not being an AD guy with control over these things, I'm betting my NPS admin never set this up.  I'll follow up with my findings!

Contributor II
Posts: 52
Registered: ‎03-07-2011

Re: 802.1x Machine Authentication Using Aruba 3600 Controllers and Microsoft NPS

Sort of all of the above here.  We're up and running now though!

Search Airheads
Showing results for 
Search instead for 
Did you mean: