Security

Reply
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

802.1x with NPS and windows 7 single sign on

This is driving me a bit nutty :)

 

So we have SSO enabled for our 802.1x network and it works perfectly about 10% of the time :)

We have a computer role setup with limited network access, and a user role that has more.  But a majority of the time the user logs in to the machine it says "unable to connect to <SSID>"  but when I look at the aruba debug for that client it clearly connects, and changes the role appropriatly.

 

SO in the end there is no issue to the users ability to login, but it just drives me crazy to see that message..

 

Some background:

We have a digicert SSL cert for our NPS server

We turned off Cert Verification for testing purposes

Enabled SSO from GPO with the correct SSID

GPO-general.PNGGPO-Advanced.PNG

 

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: 802.1x with NPS and windows 7 single sign on

If they are all Windows 7 machines, you don't even need to do machine authentication. Just select "Perform immediately before User Logon" and it will use the user's credentials to associate, then make the AD authentication request.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Re: 802.1x with NPS and windows 7 single sign on

That works fine - unless the user has not already logged into the machine. (in my expirence), (these are actually desktops in question, and we would like them to get GPO updates/windows updates when no-body is logged in.

 

So we added machine auth that gives some granular access so a new user can still login.

 

I did notice the clock on the aruba controller is a couple minutes off the rest of my network, but authentication seems to be working fine.  

 

If I restart the machine the first login always connects to the SSID correctly.  Its only the next user that has an issue.

 

 

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: 802.1x with NPS and windows 7 single sign on

A new user will work with this configuration. We use this on all campus computers for both wired and wireless 1x without machine authentication.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: 802.1x with NPS and windows 7 single sign on

You mention you have 2 different roles for computers and users; do these correspond to two different VLANs (or VLAN pools) or are they the same VLAN just with different roles/restrictions?  If these use the same VLAN (or VLAN pool) then there is no need to enable SSO at all.  By using "User or Computer" authentication, your computers should authenticate to the network when no one is logged in.  This should allow users (even new users) to log onto the computer and authenticate to AD and get GPOs/Scripts/etc; as the computer is already on the wireless network.  Once the user authenticates, Windows will flip from computer to user logon to the wireless and Aruba will change the role for the user.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Re: 802.1x with NPS and windows 7 single sign on

How are you getting this to work properly?  When we look at the radius logs we see the computer attempt an authentication as soon as it boots up, it does not matter if its set to "user only" or "user or computer".

 

From reading microsofts documentation it works like this:

 

If you are set to ONLY user authentication and there is no user logged into the machine, the machine still sends a radius authentication for the machine: host/somecomupter

This then gets rejected by NPS, and then windows (client) enables a block timer of 20minutes (the client will not respond to any other radius requests, but can send a new one)

 

Therefor what happens with user only authentication is when you first turn a machine on, and login, as a NEW user it will work, most of the time. BUT if you turn the machine on and just let it sit, and then try and login it will fail, because the machine has already attempted to login with the machine credentials and failed, then set the block timer.

 

For your mobile users they will never see an issue again because the system will use their cached credentials anyway.  We have hundreds of laptops setup with just the SSO / user authentication and it does work - but what we are noticing is the above issues...

 

Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Re: 802.1x with NPS and windows 7 single sign on

[ Edited ]

clembo

that does not work well - because mapped drives will not mount quickly enough and cause "unable to connect all network drives"

 

We use a single Vlan with different roles (initial role is VERY restrictive, the user role is less restrictive).  So if we do not use SSO then the machine does not switch roles before the login process completes...  The computer role can really only get a DHCP address and see the domain controllers, but no other servers including mapped drives, etc...  SO yes GPOs will work in this config, but drive mapping is clunky...

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: 802.1x with NPS and windows 7 single sign on

Here is our 1x configuration that we push out through group policy. All drives map correctly and GPO's apply without issue.

 

 

LyndonGPO.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: 802.1x with NPS and windows 7 single sign on

I understand now, if the computer role restricts access to the fileserver where the mapped drives are (and if it cannot be changed), then yes, my suggestion will not work for you.   However, to respond to your previous post where you mention:


danstl wrote:

 

If you are set to ONLY user authentication and there is no user logged into the machine, the machine still sends a radius authentication for the machine: host/somecomupter

This then gets rejected by NPS, and then windows (client) enables a block timer of 20minutes (the client will not respond to any other radius requests, but can send a new one)


If you have configured the client (or through GPO) to use "User Authentication" then the computer should never try to authenticate.  Even if it did, if you setup NPS policies to allow the computer to authenticate, it should never get rejected.   The block timer you mention of 20 mins; where is that coming from; Aruba?

 

In any event, SSO should work for your scenario for what you are trying to do.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Re: 802.1x with NPS and windows 7 single sign on


clembo wrote:

I understand now, if the computer role restricts access to the fileserver where the mapped drives are (and if it cannot be changed), then yes, my suggestion will not work for you.   However, to respond to your previous post where you mention:


danstl wrote:

 

If you are set to ONLY user authentication and there is no user logged into the machine, the machine still sends a radius authentication for the machine: host/somecomupter

This then gets rejected by NPS, and then windows (client) enables a block timer of 20minutes (the client will not respond to any other radius requests, but can send a new one)


If you have configured the client (or through GPO) to use "User Authentication" then the computer should never try to authenticate.  Even if it did, if you setup NPS policies to allow the computer to authenticate, it should never get rejected.   The block timer you mention of 20 mins; where is that coming from; Aruba?

 

In any event, SSO should work for your scenario for what you are trying to do.

 

 


The Block Timer is built into windows.  Becuause you have a AP deployed VIA GPO even if its set to USER only authentication the system will authenticate because it will attempt to connect to the AP in question and it will send the user credentials as the computer host.  

 

The SSO works fine  - it is just we see an intermittent issue where someone attempts to login and windows says "unable to connect to <SSID>"  looking at the debug logs in the aruba controller and the radius server we see everything is working as intended...

 

We we have been able to redily reproduce in a "user" only authentication scenario:

turn on machine

login as a new user

everything works.

 

Turn on machine

comeback in 15 minutes

login as a new user

unable to connect mesage

 

Check the logs on the computer and you will see a message about a failed connection attempt for user "host/computername" and a 20min block timer is in effect.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: