Security

Reply
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

How to disable machine authentication on a BYOD SSID

Hi,

 

We are using a SSID for BYOD clients. Also, 802.1x authentication is in place. Users are required to enter thier active directory username and password to login to wireless network. We are using EAP-PEAP. The issue we are facing is follows:

 

(1) A client logs in to wireless network and gets a vlan which is set default in VAP profile. However we are using server rules on the controller. 

 

(2) The user must be put in to a vlan according to the rules specified. I have read on a aruba support forum that if machine authentication fails the user has been put in default vlan specified under vap profile. Because machine information for BYOD devices are not present on our active directory thus most of the clients are put in default vlan though they should be assigned vlan according to server rules based on radius attribute. This does not happen with all the clients but initial login always puts a client in defualt vlan in result of which a user shows up twice on the controller having IP addresses from both the vlans such as 172.16.0.3 and 192.168.100.3.

 

Any ideas what might be causing it? It appears that clients are later put into the respective vlans but at initial login they get IP from default vlan.

Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: How to disable machine authentication on a BYOD SSID

Following is the link which talks about default VLAN:

 

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php

Guru Elite
Posts: 8,638
Registered: ‎09-08-2010

Re: How to disable machine authentication on a BYOD SSID

Please post your server rules.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: How to disable machine authentication on a BYOD SSID

Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: How to disable machine authentication on a BYOD SSID

[ Edited ]

It looks like you have "Enforce Machine Authentication" enabled in your 802.1x profile.  When "Enforce Machine Authentication" is enabled, the server rules are ignored unless a device passes BOTH user AND machine authentication.  That means BYOD devices will never have those server derivation rules executed, because they will never pass machine authentication.  Users who do not pass machine authentication will get the 802.1x enforce machine authentication user role.  If there is a VLAN defined in the Virtual AP, they will get that VLAN.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: How to disable machine authentication on a BYOD SSID

Hi,

Thanks for your response.

Machine authentication enforcement is not enabled. I have double checked
it. Also the rules are working properly because I can see in logs users are
put in role according to the rule specified however this is not the case
for vlan assignment. Correct vlan assignment works but not for all users.
Actually it may be working correctly but it creates two user entries on the
controller. For an example. User is authenticated and then on the
controller I see that same user has an IP from vlan10 subnet and from
vlan20 subnet.

Any further ideas please?

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: How to disable machine authentication on a BYOD SSID

Looking at your server derivation rules again, I see that you are trying to assign a VLAN and a Role at the same time.  Only the first server derivation rule is evaluated and enforced, so only your Role server derivation rule is being evaluated.  As a test, if you swap the order of the rules, you will see that only the VLAN would be enforced.  If you want to have both the VLAN and the Role changed, the best thing to do is to return an Aruba VSA from the Radius Server.  With a VSA on the radius server you can send multiple attributes like a role and a VLAN at the same time.  With server derivation rules, it only evaluates the first rule.   A VSA would completely replace server derivation rules on the controller.

 

Which radius server do you have?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: How to disable machine authentication on a BYOD SSID

That must be the case!

We are running NPS server on Windows Server 2008 R2. How I can add VSA to
NPS server?

--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: How to disable machine authentication on a BYOD SSID

Sir,

 

Please take a look at the Article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: How to disable machine authentication on a BYOD SSID

Hi,

If you check the server rules, there are two rules which puts the client in
Authenticated role in vlan 117. This rule is working without any issues.
There are two rules. One rule puts the client in Authenticated role and the
other puts the authenticated user to 117 vlan. This makes me think that
rules are working alright. It is not like that it matches only first rule
(I am having a feeling of it) that it matches all available rules.
Otherwise the user will get the authenticated role and the vlan would be 2.
Because vlan 2 is the default vlan assigned in vap profile.

Any further ideas?

--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Search Airheads
Showing results for 
Search instead for 
Did you mean: