Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎05-20-2013

Machine Authentication after resuming from Sleep/Hibernation

Hello,

 

Please could I have assistance with an authentication issue we are experiencing.

 

Since replacing our staff laptops we are frequenctly having 802.1X problems. I'm not sure where the problem lies at the moment but the laptops in question use the Intel Centrino Advanced-N 6235 wireless chipset, and 15.6.1 driver.

 

The main issue appears to when laptops resume from sleep/hibernating don't always machine authenticate. So they are connected to our wireless, but are put our deny_all role. I can see they have user authenticated, but the lack of machine authentication seems to be the problem.

 

Our wireless settings are set by Group Policy, and the laptops are all Windows 7 x64.

 

 

I'm following this up with Samsung and our wireless installer but  was hoping by making this post it might highlight some areas to invesitgate we hadn't thought of. I'm not very familar with the advanced 802.1x settings for example in the GPO.

 

 

Thanks in advance

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Machine Authentication after resuming from Sleep/Hibernation

When systems resume from sleep; they do not attempt machine authentication; only user authentication.  This is by design on Windows.    In your dot1X profile, what is the machine cache timeout set at?   This can be found on the Advanced tab of the 802.1X Authentication Profile; "Machine Authentication Cache Timeout".    This dictates how long the MAC address is cached in the internal dtabase upon successful machine authentication.  If set too low, you'll likely see improper role assignment due to the machine not authenticating.   

 

Because these are new laptops, I would also make sure that they are doing both user and machine authentication as well (whether by GPO or manual settings). 

 

 

As a test, on these same systems, if you restart them, do they get placed in the proper roles?    If they do, then your cache timeout is likely the issue.  If they do not, the system is likely not set to use both machine and user authentication.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 5
Registered: ‎05-20-2013

Re: Machine Authentication after resuming from Sleep/Hibernation

Hi Clembo, thanks for the quick reply.

 

The cache timeout is currently 48hrs, so I'll look at increasing that value further. It's certainly a problem that happens more after the weekend.

 

The GPO is configured for both user and machine authentication (screenshot attached). We've never had any problems after restarting one of these laptops.

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Machine Authentication after resuming from Sleep/Hibernation

The your issue is likely the cache timeout set t 48 hours; especially if they are put to sleep/hibernate over a weekend.   Increase this to a value that is more suitable to your user's reboot/logoff habits.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 5
Registered: ‎05-20-2013

Re: Machine Authentication after resuming from Sleep/Hibernation

Hi,

 

Increasing the cache timeout has definately helped the issue, but not completely.

 

Does this cache get refreshed or will this timeout require machine authentication again after this duration has passed? Reason I ask is I have a laptop I use prodominately in one location and don't regularly reboot or log off. I still experience the problem of being put in the 'deny_all' group occationally and seemly only a reboot of the laptop will get me back on the wireless.

 

Any tips?

 

Thanks

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Machine Authentication after resuming from Sleep/Hibernation

It will only get refreshed after another machine authentication (resets the expiration timer).  You can statically add the MAC to the internal database as an alternative; making it appear to have passed machine authentication.  Useful for non-domain machines or a situation like you have where the system doesn't reboot often.   You could also just schedule a Windows task to restart the system periodically.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 5
Registered: ‎05-20-2013

Re: Machine Authentication after resuming from Sleep/Hibernation

[ Edited ]

I'm not sure users would appreicate a scheduled restart :)

 

Thanks for clarifying, looks like I either need a -very- long cache timeout, or to add the MAC addresses.

 

EDIT

Under which section so I add the MAC addresses?

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Machine Authentication after resuming from Sleep/Hibernation

Just add it to the Internal DB of the controller:   Configuration --> Authentication --> Servers --> Internal 

 

You'll see all the other MACs in there; just make a new entry for the static one.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 5
Registered: ‎05-20-2013

Re: Machine Authentication after resuming from Sleep/Hibernation

Reading around it looks like any kind of bulk importing of MAC addresses is out of the question?

 

I went to add one MAC address, looking at the existing entries it look I put the MAC address in the username field, but what would the password be, or is it not used?

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Machine Authentication after resuming from Sleep/Hibernation

Password would be the MAC as well.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: