Security

Reply
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Machine Authentication and the login process

Hi,

 

We currently use both machine and user authentication using EAP-MSCHAPv2.

When machine authentication occurs, a limited role gets passsed back that allows the machine basic access to network resources.

 

I am finding more and more that there is a delay in the transition from machine auth to user auth resulting in connectivity issues for the user. Often times the login scripts can't map network drives because there is no access to the file servers at the time that the login scripts run. This is because user authentication has not yet occurred leaving the client in the machine authenticated role.

 

I am curious if others have experienced this and how you dealt with it? Do you use two roles, one for machine and one for users? Do you only do machine authentication? Are both roles open?

 

Some additional observations:

  • We have a lot of Dell devices and it seems we are experiencing increasing issues with these devices in particular.
  • Radius timeouts are a big contributor to this behavior. Currently have an open case with  Aruba about this. But I do not believe this is the only issue.

Cheers

 

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: Machine Authentication and the login process

If things are slow during machine auth, your machine auth role is too restrictive.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Machine Authentication and the login process

That is interesting. I sort of suspected this.

 

Any suggestions on what things I should make sure are open? Should I be focusing on ports? Or access to specific servers?

 

Currently, there is full access to all of the domain controllers, DNS, DHCP, our anti-virus server, our computer management server, and a few other things.

 

A good place to start would probably be to run the 'show datapath session table ...' command to capture what is going on on the client during the transition and then open anything that is being denied (within reason)?

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: Machine Authentication and the login process

Are you running the wired network with authentication and/or ACLs?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Machine Authentication and the login process

Currently we are not.

But there are plans to implement 802.1X authentication on the wired network as well.

 

That is one of the reasons why I would like to a figure out if I can improve the transition  between the machine auth role and the user auth role.

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: Machine Authentication and the login process

Many folks tend to use an allowall in the machine authentication role
similar to when a device is connected to the wired network.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Machine Authentication and the login process

Would that be the case if 802.1X is being used for both wired and wireless connections?

 

I guess I am just trying to work out the justification for opening the machine authenticated role, as opposed to leaving it more restricted.

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Machine Authentication and the login process

Thanks @cappalli for the feedback.

 

I decided to modify our machine roll to make it less restrictive. This has greatly improved the overall experience on the network. No more missing drives or GP settings.

Search Airheads
Showing results for 
Search instead for 
Did you mean: