Security

I have many devices that are not domain computers who connect to my SSID "Corpo".

On this SSID, enforce machine authentication is check, machine default role and user default role ok.

When this equipment connect to network, authentication process through radius and default role is good, I use a DHCP fingerprinting option to assign a new role to this equipment (printer) and it work fine.

But after controller upgrade/reboot, these printers reconnect with the default user role, not going to there user derivation rules...rebooting the device dont work, I have to power off device, "delete aaa user x.x.x.x", the restart it.  Is there a way easier then that cause I plan to install another 200 of these in the same mode.  I can always switch the new one to a PSK SSID bypassing the "enforce machine authentication / user derivation rules" problem but that is plan B.

Any idea of the cause and / or a solution?

Andre Boucher

HI,

This is an expected behaviour because the device role assignment is done through DHCP therefore IP renew process should happen in order to get the role assignment.

My point over here is, we do not reboot the controller very often and whenever you reboot the controller it is required to reboot all the authenticated devices or even you can remove and reconnect the eth cable to renew the DHCP process.

Hope you got some clarity.

Please feel free for any further clarity on this.

Hi,

Let me be more specific.  All these printers are only wireless.  When the controller is rebooted and printer are still connected, after x time the printer stop working with the machine default role in effect.  When I reboot a printer and check the network log, I can confirm that a DHCP request is done, but that does not solve the problem.  I need to power off printer, "aaa user delete x.x.x.x", and restart it.  There must be a cache somewhere... I can also see that the printer association with the AP hold for 1000 seconds after I power off printer, but I dont know if its revelant.

Thanks for your help

Andre Boucher

Hi,

What is the client idle timeout (Station ageout TIme) configured on that SSID profile ? by default it should be 1000 Sec. please change it accordingly so that the client will be removed out of the controller.

Please feel free for any further help on this.

For your ref :

Hi again,

I did some more tests.  The station ageout time is default : 1000.  I power off a printer with the bad role  problem ( in the show user ip x.x.xx. == Role Derivation: default for authentication type 8021x-User).  I waited for the ageout (confirmed with nothing in show ap association...), power on the printer again and still got the same role problem (dhcp request confirmed running at boot up).

So I have to manually power off again the printer, "aaa user delete x.x.x.x", then power back on and problem solve (in the show user ip x.x.xx. == Role Derivation: Matched dhcp user rule).

Is there another hidden/unknown cache somewhere?

thanks again for your help

Andre Boucher

HI,

Is it possible to share AAA profile and dot1x authentication profile ? it will help me to diagnose the issue and fix it.

show aaa profile <name>

show aaa authentication dot1x <name>

Hi,

AOS version is 6.4.2.5

and here's the profile...

AAA Profile "CSSSC-AAA-Employe-dot1x"
-------------------------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     denyall
MAC Authentication Server Group     default
802.1X Authentication Profile       CSSSC-DOT1x-Employe
802.1X Authentication Default Role  denyall
802.1X Authentication Server Group  CSSSC-ServerGroup
Download Role from CPPM             Disabled
L2 Authentication Fail Through      Disabled
Multiple Server Accounting          Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               CSSSC_Equipement_Rules
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Enabled
PAN Firewall Integration            Disabled

802.1X Authentication Profile "CSSSC-DOT1x-Employe"
---------------------------------------------------
Parameter                                                  Value
---------                                                  -----
Max authentication failures                                0
Enforce Machine Authentication                             Enabled
Machine Authentication: Default Machine Role               CSSSC_Role_Machine
Machine Authentication Cache Timeout                       168 hr(s)
Blacklist on Machine Authentication Failure                Disabled
Machine Authentication: Default User Role                  CSSSC_Role_BYOD
Interval between Identity Requests                         5 sec
Quiet Period after Failed Authentication                   30 sec
Reauthentication Interval                                  86400 sec
Use Server provided Reauthentication Interval              Disabled
Use the termination-action attribute from the Server       Disabled
Multicast Key Rotation Time Interval                       1800 sec
Unicast Key Rotation Time Interval                         900 sec
Authentication Server Retry Interval                       5 sec
Authentication Server Retry Count                          3
Framed MTU                                                 1100 bytes
Number of times ID-Requests are retried                    5
Maximum Number of Reauthentication Attempts                3
Maximum number of times Held State can be bypassed         0
Dynamic WEP Key Message Retry Count                        1
Dynamic WEP Key Size                                       128 bits
Interval between WPA/WPA2 Key Messages                     1000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange    0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange  0 msec
Time interval after which the PMKSA will be deleted        8 hr(s)
Delete Keycache upon user deletion                         Disabled
WPA/WPA2 Key Message Retry Count                           3
Multicast Key Rotation                                     Disabled
Unicast Key Rotation                                       Disabled
Reauthentication                                           Disabled
Opportunistic Key Caching                                  Enabled
Validate PMKID                                             Enabled
Use Session Key                                            Disabled
Use Static Key                                             Disabled
xSec MTU                                                   1300 bytes
Termination                                                Disabled
Termination EAP-Type                                       N/A
Termination Inner EAP-Type                                 N/A
Token Caching                                              Disabled
Token Caching Period                                       24 hr(s)
CA-Certificate                                             N/A
Server-Certificate                                         N/A
TLS Guest Access                                           Disabled
TLS Guest Role                                             guest
Ignore EAPOL-START after authentication                    Disabled
Handle EAPOL-Logoff                                        Disabled
Ignore EAP ID during negotiation.                          Disabled
WPA-Fast-Handover                                          Disabled
Disable rekey and reauthentication for clients on call     Disabled
Check certificate common name against AAA server           Enabled