Security

Hi,

we have a setup where user and machine authentication is used.  If a user only authenticates as user, he gets redirected to a vlan where only internet access is possible.  If also machine authentication is used (using a Windows radius server) then the user arrives in another vlan where he has full access.

So far no problem.  But...  The user AND machine authentication only works when you're already logged in and have performed a connect manually.  If you boot the system only user authentication is used when the wifi connects.  We then have to disconnect and connect the ssid again, before the user is in the correct vlan.  Ofcourse then logon scripts do not work etc...  We've been playing with different settings in the ssid properties, so far no luck.

Any solution for this?

What might be happening here is the following:

With Windows 7, when you configure your client, like you described, you can choose to authenticate as user, computer, user or computer or as guest.

When you configure 'user or computer' your machine will do a user authentication when you are logged in, and a machine authentication when you are not logged in (system is in the Logon screen). This is used often to validated both AD membership for your computer, and the user is a valid user. When combining that information you can provide different access for users with AD joined computers and the same user with an untrusted/non domain machine. In addition, when you disconnect and re-connect, Windows 7 sometimes will do a machine auth before switching to user auth.

On thing that is important in this case, is that to configure your WLAN network for the computer, so prior to login, you must have an administrator account when configuring the network to 'user or computer'. If you have a user account (non-administrator), all configuration is kept for that user only. So when you logoff, or reboot your system, the configuration to connect to your network is only active after the user who configured it is logged in. The computer will not connect to the network prior to the login. Which makes sense when multiple users use the machine, you don't want networks configured by one user (including passwords/certificates/setting) are available to other users.

As an administrator (minimum local, but domain will also work), you can configure the network system wide. Networks configured as administrator are available for all users, and will be connected to prior logon, under the condition that you configured machine authentication.

So please check the account rights used when configuring the WLAN on your client. Must be administrator.

Normal users configuring the WLAN network will result in the described situation.

Hi.  The user i'm performing tests with actually is administrator.  Problem looks like machine authentication is performed before user logs in.  When the user logs in with AD credentials a re-authentication should take place taking into account user AND machine credentials, which is not happening...

We have seen this issue - the re-auth happens the vlan changes, but the client may or may not get the new DHCP informaiton... Personaly I think its a windows problem. How we resolved it is by using roles instead of vlan switching - this may not be ideal for you.  So our machine role is very restrictive, no internet, only needed services for the machine to get updates and talk with active directory.  Once the user authenticates the correct role is used.

Doing the vlan switching has been met with some issues here, most of the time windows will get a new DHCP address, but often will retain the old default gateway as well as the new defined gateway.  This obviously causes some issues...  It appears everything is working properly on the aruba side, and I was able to verify this issue with microsoft but they did not have a good solution for us as it does not happen all the time.  If you reset the wlan connection everything is gravy...  I was also able to see that the client does request a new IP from the correct subnet after the user authenticates....

In response to the VLAN switching statement:

Please try to avoid VLAN switching whenever possible, as it will likely bring you into trouble at some moment.

If you require VLAN switching, and user Windows 7, switch on the 'Enable single sign on for this network' option in the Advanced settings for your WLAN configuration:

This option will trigger a DHCP renew after authentication switch from machine to user (and in the other direction).

I already have the 'enable single sign on for this network' enabled.  Problem remains.  Even more, found out today results are not predictive.  Rebooted my own laptop (which always ended up after booting in the 'restricted network') this afternoon, and ended up in the correct vlan.  Rebooted again (without changing anything), and ended up again in the restricted vlan.  I have another laptop here which -so far- always ends up in the correct vlan.  Remark the NPS always authenticates computer and user successfully (as visible in the logs).

is it possible to have short-DHCP-lease time on restricted VLAN in your use-case ? this should solve the problem.

I have tried that as well with odd results... We would still see the lingering gateway problem... The DHCP renews, but adds a second gateway as opposed to replacing the gateway... this does not happen all the time, but when it does it obviously causes problems.

I would say though I originally wanted to do vlan switching, it was not worth it, and IMO made more sense just to switch roles.  The role switching takes a couple of seconds and always seems to work properly as it is not dependent on windows really doing anything except sending the authentication stuff...

Not sure if short-term DHCP leases will solve our issue.  We are using roles.  I just discovered that the problem 'might' be related to McAfee disk encryption.

With McAfee disk encryption, you only provide a password during initial boot.  Then a single-sign on happens (so Windows does not ask for a user/password combination).  All the systems i tested having McAfee disk encryption, end up initially in the wrong vlan.

I tested a second laptop today without McAfee disk encryption.  After giving user/password i always arrive in the correct vlan...

The standard Windows 7 supplicant has no option to use user AND machine authentication in the same authentication.

What happens in practice is caching of the machine authentication status on the authentication server (ClearPass, Instant or Controller), and enforce a different role when a user signs in on a machine that has already done machine authentication (at the login screen) than for a user from a machine that has not done that.

If you insist on both machine and user in the same authentication, and you are using ClearPass, then you can use the OnGuard NAP agent to replace the machine authentication as NAP communications are authenticated by the machine. So the WLAN connection is user authenticated, if the NAP posture status is valid (you can check for the attribute Host:FQDN), you know that user and machine are authenticated.