Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

dot1x authentication slow

Hi:

I'm using CPPM with Aruba 3400 controllers running 6.3.

 

I've got Clearpass setup to authenticate computers that are domain members.

If a user is not logged into the computer, an access list on the role allows the computer to talk to the DC.

That way a user can login to the computer, even if they have not logged in before, or if they have changed their password since last time.

 

The problem is that logins take quite a while. For nearly two minutes, we get to watch the Windows Welcome message with the spinning ball (vs. a few seconds with a wired connection).

 

Is there any way to speed this up?

 

Thanks,

Tony

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: dot1x authentication slow

Did you do an allowall in the machine auth role or did you get more granular? Usually slowness in this case means something is blocked.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: dot1x authentication slow

Hi Tim:

Once again, you pegged it!

I put an

any any any permit

at the beginning of the ACL, and the login was speedy.

 

(I previously only had all traffic allowed to/from DC's).

 

Any idea what else needs to be allowed?

 

Thanks,

Tony

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: dot1x authentication slow

Tony,

 

Here's what I usually allow:

 

Domain Controllers

Any file shares where login scripts or share drives live

WSUS (update server)

Inbound access from management IP space for remote management

 

Here's my sample ACL:

 

MACHINE-AUTH-ROLE.PNG

 

 

If you want to add more security, you can block things like RDP, SSH, VNC to those destinations at the top of the ACL.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: dot1x authentication slow

Hi Tim:

Thanks again for the info.

 

I opened up access to just about every subnet I can think of that a domain computer should need to reach, when loggin in, and the login time is about 7 seconds. Not bad.

 

But when I do an "any any any permit" the login time is super-zippy, about 2 seconds.

I'll leave it wide open for now, until I've got time to run Wireshark on that VLAN to see what's going on.

 

Or have I seen somewhere, on some GUI screen, the ability to capture traffic on an AP?

 

Thanks,

Tony

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: dot1x authentication slow

You can run the following command at the CLI to show the sessions and anything that is blocked will be indicated by the D flag .

show datapath session table

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: dot1x authentication slow

Great command to know.

Thanks.

Search Airheads
Showing results for 
Search instead for 
Did you mean: