Security

Reply
Contributor II
Posts: 125
Registered: ‎05-19-2013

machine auth in cppm

Hi all ,

I have a query regarding machine auth . We have configured policy if user belongs to group and machine authenticated to give full access. And other policy if user authenticated provisioning role which has no access.its working fine but

machine auth comes into play if we are logging in or logging off or restart and my issue is if user logs off the system , cppm does machine authentication four times even it is authenticated .however if machine gets authenticated and not the user then it is rejected .I could see in the access tracker it does machine auth four times .

As we have enabled if authentication failure is 5 to blacklist the client. Clients are getting balcklisted if they enter the wrong username or user is not part of wifi group.

Why cppm doesn't do machine auth once and stop it. I could see one machine auth happenings for some hosts.

warm regards
Srikanth
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: machine auth in cppm

How to overcome this issue

Warm regards
Srikanth
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: machine auth in cppm

I would try to update the wifi driver on the client.  A domain machine should only do machine authentication (1) When the machine is booting up (2) When a user logs off.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: machine auth in cppm

So you mean to say ,domain machine is sending computer account to get authenticated continously??

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: machine auth in cppm

In here, user logs off as soon as user does that machine auth happens . Time gap between machine auth for times is around 5 -10secs
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: machine auth in cppm

It should only send it once when it is booting up, and every time a user logs off.

 

When it sends multiple times, what is happening?  It is possible that the device does not support OKC Opportunistic Key Caching, so it sends a full authentication every time it roams...  See if each authentication is being sent from the same access point.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: machine auth in cppm

Its from the same access point
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: machine auth in cppm


srikanthsoogoor wrote:
Its from the same access point

That is normally not a problem unless it is causing a connectivity issue.  If you want to try to eliminate it, you can try updating the wifi driver of the laptop.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: machine auth in cppm

Ya got it .

Can I know the reason why it happens in this way ??

We have no connectivity issue but because of that client mac is getting blacklisted . As it does machine auth four times and gets reject profile .fifth time if user is not authenticated . Controller does blacklisting .

Thanks Joseph for the information and ill try updating the drivers
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: machine auth in cppm


srikanthsoogoor wrote:
Ya got it .

Can I know the reason why it happens in this way ??

We have no connectivity issue but because of that client mac is getting blacklisted . As it does machine auth four times and gets reject profile .fifth time if user is not authenticated . Controller does blacklisting .

Thanks Joseph for the information and ill try updating the drivers

Wait....  Is the machine authentication failing?  Do you have a rule that prevents machine authentication from working?  Are these domain machines or machines that are NOT part of the domain?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: