@jzawacki wrote:
I have a customer that I setup an SSID that uses 802.1X authentication and I'm enforcing machine authentication. I've deployed several customer networks this way with no issues. With this particular customer, when the wireless device is turned on but a user hasn't logged in yet, the machine authenticates itself and I have the machines drop into a roll called "DomainComputer". When a valid domain user logs into that computer role derivation takes place and the users is assigned the appropriate role. If that same user brings in their own wireless device, that device fails machine authentication as expected but the user logs in and gets placed in the "Guest" role. This all seems to work fine.
After about a week or so the when the same users log into the domain authenticated machines using their same user credentials these devices are being placed in the "Guest" role which blocks access to resources they would normally have access too. If they delete the users local profile on the wireless device so that it gets recreated upon the next loggin, they are once again placed in the correct user role but this only lasts about a week or so and then they go back to being placed in the "Guest" role. So deleting the local user profile on the wireless device corrects the issue but not permanently. I've double checked my Aruba configuration and all looks good to me. I'm leaning towards something that is being changed on the client side but do not know where to look.
Has anyone ever encountered this before? Suggestions?
Thanks,
John
In the 802.1x authentication profile under advanced, the Machine Authentication Cache Timeout timer controls this. When a machine authenticates at the ctrl-alt-delete screen, a user is created in the local user database to record that activity. This user stays in the local database for 24 hours by default. The problem is, users who do not log out of their computers, never record machine authentication activity, and this user is deleted, so it is assumed that this computer did not machine authenticate. You can extend the Machine Authentication Cache Timeout timer to account for users who do not log out every day.