Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎01-28-2009

Tracking down wireless device

We use IAS radius authentication in our wireless network. And are having issues from time to time with users who have wireless devices( Ipad's, Iphones, laptops etc) which hold their AD login ID's and PW's. What is happening is when a password change happens not all the devices get the password changed and the users AD account gets locked out.

 

The IAS just says it is coming from the controller which doesn't help much.

 

Is there a way to track down where the device is trying to connect at with the information i have which is just the username they are trying to connect with?

 

Thanks...

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Tracking down wireless device

The problem with non windows devices is that they cache the password and don't understand the Domain infrastructure to know to ask for an updated password. Instead they just keep retrying the password to connect to the SSID until it locks the account. The best way to solve the permanently i have found is to move to Certificate based authentication(EAP-TLS)

 

As for where the user is, you might be able to see their device in the Logon role in your user database, and from there you would see which AP they have associated with, which could give you a rough idea of where the user is.

 

If someone has any tips on how to manage username/passwords on a iOS device and prevent the lockout that would be great, as I know we have other customers who have this issue, and cannot move to certificate auth.

 

-ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Tracking down wireless device

There are a couple ways to deal with this (others may have better ways).

 

You can implement an authentication blacklist counter which will blacklist a device for failing authentication X times, which is 1 or 2 times less than it takes to lock out a Windows account.  The result is that device will not be allowed onto the network after failing 4 times, and not hitting the 6 that it takes the lock the account.  The device will be located under blacklisted clients.

 

All authentication failures are sent as an SNMP trap from the controller and you could monitor that output, or if you are using Airwave, it will collate and correlate all that information.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎01-28-2009

Re: Tracking down wireless device

Thnaks for both your responses. Could you give details on how I could setup the client blacklist?

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Tracking down wireless device

1.  You need to find the 802.1x profile that corresponds to that SSID and put a number in the "Max Authentication Failures Box".  Go to Configuration> Security> Authentication> L2 Authentication.  Click on 802.1x profile and find the one that corresponds to your SSID (click on "show references" if you are not sure which one).  Enter a number in the Max authentication failures box that matches how many times you want a user to fail before you blacklist him.

 

2.  You also need to go into the virtual AP profile and specify how long blacklisted users are kept off the network.  Go to Configuration> Wireless AP Configuration.  Find the AP-group that your access points are in and click on the "Edit" button to the right of it.  Expand Wireless Lan, Expand Virtual AP and find the Virtual AP that corresponds to your WLAN.  Click on that Virtual AP.  In the right pane Enable "Station Blacklisting" and put in a number of seconds in the "Authentication Failure Blacklist Time" to indicate how long you want those devices to be blacklisted.  By default it is 3600 seconds.

 

To monitor who is blacklisted, go into the Gui under Monitoring > Controller> Blacklist clients.  You can also type "show ap blacklist-clients" on the commandline.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: