Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

dot1x authentication slow

This thread has been viewed 3 times

  • 1.  dot1x authentication slow

    Posted Jul 08, 2014 05:45 PM

    Hi:

    I'm using CPPM with Aruba 3400 controllers running 6.3.

     

    I've got Clearpass setup to authenticate computers that are domain members.

    If a user is not logged into the computer, an access list on the role allows the computer to talk to the DC.

    That way a user can login to the computer, even if they have not logged in before, or if they have changed their password since last time.

     

    The problem is that logins take quite a while. For nearly two minutes, we get to watch the Windows Welcome message with the spinning ball (vs. a few seconds with a wired connection).

     

    Is there any way to speed this up?

     

    Thanks,

    Tony

     


    #3400


  • 2.  RE: dot1x authentication slow

    EMPLOYEE
    Posted Jul 08, 2014 05:49 PM
    Did you do an allowall in the machine auth role or did you get more granular? Usually slowness in this case means something is blocked.


  • 3.  RE: dot1x authentication slow

    Posted Jul 08, 2014 05:55 PM

    Hi Tim:

    Once again, you pegged it!

    I put an

    any any any permit

    at the beginning of the ACL, and the login was speedy.

     

    (I previously only had all traffic allowed to/from DC's).

     

    Any idea what else needs to be allowed?

     

    Thanks,

    Tony

     



  • 4.  RE: dot1x authentication slow
    Best Answer

    EMPLOYEE
    Posted Jul 08, 2014 06:16 PM

    Tony,

     

    Here's what I usually allow:

     

    Domain Controllers

    Any file shares where login scripts or share drives live

    WSUS (update server)

    Inbound access from management IP space for remote management

     

    Here's my sample ACL:

     

    MACHINE-AUTH-ROLE.PNG

     

     

    If you want to add more security, you can block things like RDP, SSH, VNC to those destinations at the top of the ACL.



  • 5.  RE: dot1x authentication slow

    Posted Jul 08, 2014 08:27 PM

    Hi Tim:

    Thanks again for the info.

     

    I opened up access to just about every subnet I can think of that a domain computer should need to reach, when loggin in, and the login time is about 7 seconds. Not bad.

     

    But when I do an "any any any permit" the login time is super-zippy, about 2 seconds.

    I'll leave it wide open for now, until I've got time to run Wireshark on that VLAN to see what's going on.

     

    Or have I seen somewhere, on some GUI screen, the ability to capture traffic on an AP?

     

    Thanks,

    Tony

     



  • 6.  RE: dot1x authentication slow

    EMPLOYEE
    Posted Jul 08, 2014 08:30 PM
    You can run the following command at the CLI to show the sessions and anything that is blocked will be indicated by the D flag .

    show datapath session table


  • 7.  RE: dot1x authentication slow

    Posted Jul 09, 2014 08:49 AM

    Great command to know.

    Thanks.