Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎01-18-2011

Machine Authentication Fail

Dear All,

 

 

is there any way to have enforce machine authentication and server derivation(with NPS) work along together?

 

i have problem with my customer, everytime they change password, they unable to login again. they have to use cable or login with their old password, connect to SSID with less security(PSK), do gpupdate..then voila..they able to log on with they new password.

 

 

i found out that the machine authentication not work, because then the client log off, i press ctrl+alt+del, i cant ping them, just to see if the machine connect to network or not.

 

i disable " enforce machine authentication" because when i use that setting, server derivation not working.

Guru Elite
Posts: 19,948
Registered: ‎03-29-2007

Re: Machine Authentication Fail

Machine Authentication should take place when the user logs out of the network, and the laptop should be able to get an ip address at the ctrl-alt-delete prompt.  Do you see the machine authentication happen when the user logs it?  If that is not happening, you need to make sure your wireless settings have your client authenticate as a user AND computer.  Your client should be able to change his/her password at the login prompt.

 

If you have everything configured and it is still not working, the only reason would be that the machine role and the full 802.1x role have different VLANs and breaks the connection on login.  Please make sure the machine does not switch VLANs when the user is logging into the network.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 9
Registered: ‎01-18-2011

Re: Machine Authentication Fail

Yes i already make sure the client setting is ok. even i check the Single Sign-On option.

 

Could u elaborate more for below reply? little bit not understand.

 

"If you have everything configured and it is still not working, the only reason would be that the machine role and the full 802.1x role have different VLANs and breaks the connection on login.  Please make sure the machine does not switch VLANs when the user is logging into the network."

Guru Elite
Posts: 19,948
Registered: ‎03-29-2007

Re: Machine Authentication Fail


wreqenize wrote:

Yes i already make sure the client setting is ok. even i check the Single Sign-On option.

 

Could u elaborate more for below reply? little bit not understand.

 

"If you have everything configured and it is still not working, the only reason would be that the machine role and the full 802.1x role have different VLANs and breaks the connection on login.  Please make sure the machine does not switch VLANs when the user is logging into the network."


You FIRST have to make sure that you see the machine authentication happening on the Radius Server when the user logs out, OR boots up to the CTRL-ALT-DEL screen.  Do you see that in the Event Viewer?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 9
Registered: ‎01-18-2011

Re: Machine Authentication Fail

i saw the event at Radius(it shows machine ID, not username), but the request denied. the reason said : The connection request did not match any configured network policy.

 

i already put the Machine Group : Domain Computer at the Policies.

but user authentication works fine without any problems.after login, user able to connect like usual. but when i sign out, connection lost.

Guru Elite
Posts: 19,948
Registered: ‎03-29-2007

Re: Machine Authentication Fail

You need to create a separate remote access policy on NPS, exactly like the other one, but it allows the AD Group DOMAIN computers.  You cannot simply add Domain Computers to the AD Group.

 

You can also try removing the Windows user groups from the rule entirely to see if that works, but you should do the suggestion above.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 9
Registered: ‎01-18-2011

Re: Machine Authentication Fail

Success with Above solution.

 

i create another policy(name it Machine Authentication Policy) and put Domain Computer at the Remote Access Policy inside the policy i create earlier. the i put the Policy above other policy(policy that grant user authentication). so the policy will allow Machine Authentication first, after that when user login, it will go to second policy that allow User Authentication.

 

Cant believe that support in this forum will be faster than the TAC. I've mailed them a couple days ago and their reply just asking for log-download.tar. no response further since that.

 

Thanks Colin..

Occasional Contributor I
Posts: 9
Registered: ‎01-18-2011

Re: Machine Authentication Fail

one more problem...

after applying above step. i found some client having their Wireless Profile setting get automatically set to "Computer Authentication" only..not "User or computer authentication".(802.1x setting --> specify authentication mode)

the problem is, when they using "Computer Authentication" they stuck at the role they shouldn't. also the GPO Walpaper not working when this problem occur.

 

but when i change the the authentication mode to User and computer authentication, they able to get the role they should.

 

This problem happen if i remove the Wireless Profile, than reconnect to the SSID.

Guru Elite
Posts: 19,948
Registered: ‎03-29-2007

Re: Machine Authentication Fail


wreqenize wrote:

one more problem...

after applying above step. i found some client having their Wireless Profile setting get automatically set to "Computer Authentication" only..not "User or computer authentication".(802.1x setting --> specify authentication mode)

the problem is, when they using "Computer Authentication" they stuck at the role they shouldn't. also the GPO Walpaper not working when this problem occur.

 

but when i change the the authentication mode to User and computer authentication, they able to get the role they should.

 

This problem happen if i remove the Wireless Profile, than reconnect to the SSID.


You are correct.  When you connect a domain computer to a 802.1x WLAN, Windows 7 automatically chooses Computer Authentication Only, which breaks your functionality.  Using a GPO to push out WLAN configuration is the best thing.  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-How-to-create-a-Wireless-Group-Policy-on-Windows-2008/td-p/11768

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 9
Registered: ‎01-18-2011

Re: Machine Authentication Fail

is there any other way out beside creating GPO for wireless profile?

kinda long way to ask my customer to create new GPO.

Search Airheads
Showing results for 
Search instead for 
Did you mean: