02-18-2015 03:48 AM
I have been doing 802.1x with both machine and user authentication for a while.
Usually we push an internal certificate to domains computers along with SSID setup, this works quite well.
One problem i see on a regular basis is that idle computers or computers that has been hibernated loose their machine authentication.
This is resolved by logging of the user and back on again or a reboot.
Is there a way to keep the machine in the cache? I know there is a user idle timeout on each AAA profile, but i'm not sure if this can achieve what i'm looking for. When a user is idle past this timer, it will we removed anyway.
Can this problem be solved by using ClearPass as a authentication proxy towards a domain controller and add a MAC cache to prevent the machines from being removed from the cache?
02-18-2015 04:13 AM
Are you using "Enforce Machine Authentication"? If you are, there is a machine authentication cache timeout parameter that controls this: http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm By default it is 24 hours.
You can also permanently enter a device into the local database with no expiry and it will never timeout. Look at the internal database to see the format of machine authenticated devices.
Again, this is only for if you already have Enforce Machine Authentication configured...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-18-2015 04:32 AM
02-18-2015 04:34 AM
yeah, i'm using Enforce Machine Authentication and i believe i have tried the timer, but to be sure i will log on a computer in my lab, which is 802.1x and adjust the timer to 48 hours.
In theory it shall still be in full 802.1x tomorrow when i return to work, have in mind that this computer has been idle over the night.
Adding a computer to the internal database is not an option, as there is too many to handle.
The customer do have ClearPass, but at the moment auth is not handled by CP, but i will look into this with a colleague of mine.