Wireless Access

Reply
Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Aruba Instant "Enforce Machine Auth" Problems

[ Edited ]
We just completed phase 1 on an Aruba Instant install for a school district at three different schools. We are enforcing machine authentication, but having issues with machines taking a long time to login to Windows. We currently have two roles under the "enforce machine authentication" - a "mach_rest" and "user_rest" role. The idea being if a client machine Auths, OR user auths only they would get the appropriate role. A client that machines AND user auths gets the full unrestricted role for that SSID. The problem we are having is the clients re getting stuck in the "mach_rest". Sometimes they authenticate fully, but it takes a long time. The only solution is to open the firewall rules on the "mach_rest" role and then clients authenticate quickly with no issues. At this point we have "allow all" to the domain controllers on the "mach_rest" role, but that is not a good solution. I would like to lock it down at least to specific ports, but the research we've done opening the ports used for Windows authentication still don't work very well. I've never really experienced this on the controllers this seems to be something with Instant. So, help I guess! :-)
EDDIE FORERO | @HeyEddie
Guru Elite
Posts: 20,959
Registered: ‎03-29-2007

Re: Aruba Instant "Enforce Machine Auth" Problems

Opening the Mach_rest role completely is a good practice.  It the best analogy for it is a wired laptop plugged in at the ctrl-alt-delete screen.  There are plenty of things that happen in the background that you do not want to block, but the user is not allowed to interact with the network, so it is secure from that perspective.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Re: Aruba Instant "Enforce Machine Auth" Problems

[ Edited ]

I considered this, but my concern was what is it possible that a malicous code could be running in the bakcground - say if a  users machine got infected, it somehow compromised?

 

 

It seems to me that there are still opportunities for this to be exploited. If there's a local account, or if the user interupts the boot up and boots to the command prompt with network access.

EDDIE FORERO | @HeyEddie
Guru Elite
Posts: 20,959
Registered: ‎03-29-2007

Re: Aruba Instant "Enforce Machine Auth" Problems

Yes.  Same rules like if the device was physically plugged in, but with mobility, and encryption.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: