Wireless Access

Reply
Frequent Contributor II
Posts: 109
Registered: ‎11-11-2008

802.1x machine cache

Hi guys

 

I have been doing 802.1x with both machine and user authentication for a while.

Usually we push an internal certificate to domains computers along with SSID setup, this works quite well.

One problem i see on a regular basis is that idle computers or computers that has been hibernated loose their machine authentication.

This is resolved by logging of the user and back on again or a reboot.

 

Is there a way to keep the machine in the cache? I know there is a user idle timeout on each AAA profile, but i'm not sure if this can achieve what i'm looking for. When a user is idle past this timer, it will we removed anyway.

 

Can this problem be solved by using ClearPass as a authentication proxy towards a domain controller and add a MAC cache to prevent the machines from being removed from the cache?

 

Roar

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: 802.1x machine cache

Are you using "Enforce Machine Authentication"?  If you are, there is a machine authentication cache timeout parameter that controls this:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm  By default it is 24 hours.

 

You can also permanently enter a device into the local database with no expiry and it will never timeout.  Look at the internal database to see the format of machine authenticated devices.

 

Again, this is only for if you already have Enforce Machine Authentication configured...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: 802.1x machine cache

Yes, you would use ClearPass to set an attribute as a fallback for machine authentication. You can also increase the machine authentication cache time inside of ClearPass.


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 109
Registered: ‎11-11-2008

Re: 802.1x machine cache

Hi

 

yeah, i'm using Enforce Machine Authentication and i believe i have tried the timer, but to be sure i will log on a computer in my lab, which is 802.1x and adjust the timer to 48 hours.

In theory it shall still be in full 802.1x tomorrow when i return to work, have in mind that this computer has been idle over the night.

 

Adding a computer to the internal database is not an option, as there is too many to handle.

The customer do have ClearPass, but at the moment auth is not handled by CP, but i will look into this with a colleague of mine.

 

Mosher

Search Airheads
Showing results for 
Search instead for 
Did you mean: