Security

Hi,

 

We currently use both machine and user authentication using EAP-MSCHAPv2.

When machine authentication occurs, a limited role gets passsed back that allows the machine basic access to network resources.

 

I am finding more and more that there is a delay in the transition from machine auth to user auth resulting in connectivity issues for the user. Often times the login scripts can't map network drives because there is no access to the file servers at the time that the login scripts run. This is because user authentication has not yet occurred leaving the client in the machine authenticated role.

 

I am curious if others have experienced this and how you dealt with it? Do you use two roles, one for machine and one for users? Do you only do machine authentication? Are both roles open?

 

Some additional observations:

• We have a lot of Dell devices and it seems we are experiencing increasing issues with these devices in particular.
• Radius timeouts are a big contributor to this behavior. Currently have an open case with  Aruba about this. But I do not believe this is the only issue.

Cheers

 

If things are slow during machine auth, your machine auth role is too restrictive.

That is interesting. I sort of suspected this.

 

Any suggestions on what things I should make sure are open? Should I be focusing on ports? Or access to specific servers?

 

Currently, there is full access to all of the domain controllers, DNS, DHCP, our anti-virus server, our computer management server, and a few other things.

 

A good place to start would probably be to run the 'show datapath session table ...' command to capture what is going on on the client during the transition and then open anything that is being denied (within reason)?

Are you running the wired network with authentication and/or ACLs?

Currently we are not.

But there are plans to implement 802.1X authentication on the wired network as well.

 

That is one of the reasons why I would like to a figure out if I can improve the transition  between the machine auth role and the user auth role.

Many folks tend to use an allowall in the machine authentication role
similar to when a device is connected to the wired network.

Would that be the case if 802.1X is being used for both wired and wireless connections?

 

I guess I am just trying to work out the justification for opening the machine authenticated role, as opposed to leaving it more restricted.

Thanks @cappalli for the feedback.

 

I decided to modify our machine roll to make it less restrictive. This has greatly improved the overall experience on the network. No more missing drives or GP settings.