Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

802.1x machine cache

This thread has been viewed 5 times

  • 1.  802.1x machine cache

    Posted Feb 18, 2015 06:49 AM

    Hi guys

     

    I have been doing 802.1x with both machine and user authentication for a while.

    Usually we push an internal certificate to domains computers along with SSID setup, this works quite well.

    One problem i see on a regular basis is that idle computers or computers that has been hibernated loose their machine authentication.

    This is resolved by logging of the user and back on again or a reboot.

     

    Is there a way to keep the machine in the cache? I know there is a user idle timeout on each AAA profile, but i'm not sure if this can achieve what i'm looking for. When a user is idle past this timer, it will we removed anyway.

     

    Can this problem be solved by using ClearPass as a authentication proxy towards a domain controller and add a MAC cache to prevent the machines from being removed from the cache?

     

    Roar



  • 2.  RE: 802.1x machine cache

    EMPLOYEE
    Posted Feb 18, 2015 07:14 AM

    Are you using "Enforce Machine Authentication"?  If you are, there is a machine authentication cache timeout parameter that controls this:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm  By default it is 24 hours.

     

    You can also permanently enter a device into the local database with no expiry and it will never timeout.  Look at the internal database to see the format of machine authenticated devices.

     

    Again, this is only for if you already have Enforce Machine Authentication configured...



  • 3.  RE: 802.1x machine cache

    Posted Feb 18, 2015 07:34 AM

    Hi

     

    yeah, i'm using Enforce Machine Authentication and i believe i have tried the timer, but to be sure i will log on a computer in my lab, which is 802.1x and adjust the timer to 48 hours.

    In theory it shall still be in full 802.1x tomorrow when i return to work, have in mind that this computer has been idle over the night.

     

    Adding a computer to the internal database is not an option, as there is too many to handle.

    The customer do have ClearPass, but at the moment auth is not handled by CP, but i will look into this with a colleague of mine.

     

    Mosher



  • 4.  RE: 802.1x machine cache

    EMPLOYEE
    Posted Feb 18, 2015 07:32 AM
    Yes, you would use ClearPass to set an attribute as a fallback for machine authentication. You can also increase the machine authentication cache time inside of ClearPass.


    Thanks, 
    Tim