Hello,
I've read a few threads on the Machine Authentication topic, but rather than replying to them, I thought I'd start a new one, since our environment is different.
I work for a school district. I more-or-less "inherited" management of the wireless network from someone else, who is no longer with the district. I haven't had much in the way of formal training, either with Aruba or Novell. I do have an MCSE certification, though, so at least I know my Microsoft. :) But in terms of the rest, if I sound kind of stupid, that's why.
We run a mixed environment consisting of both Novell eDirectory and Microsoft Active Directory. We run a combination of NetWare 6.5 and SLES 10 SP4 OES2 servers, as well as Windows servers. All of our workstations are joined to an AD domain. We have mostly Windows XP, though we have been getting a lot of Windows 7 lately. We also have various incarnations of Mac OS X, including Lion (10.7). Our XP and Win7 machines all have the Novell client installed.
Where we *currently* stand is here: We have a STAFF network, which is used for district-provided staff wireless devices. We have a STUDENTS network, which currently isn't used for anything. We also have a GUESTS network, that makes use of the Captive Portal. The STAFF network uses WPA/WPA2 Enterprise authentication, and we have a RADIUS server set up with FreeRADIUS that authenticates against eDirectory.
If a district staffmenber with a district-provided laptop wants to connect wirelessly, we connect their laptop to the STAFF network. Since we are only using user authentication, though, the user must first log in using the "Workstation Only" option in the Novell client, and then when their desktop loads up and Windows authenticates to the wireless, they can then right-click the red N and do their Novell login. This works, but it presents a problem whenever a user has to change their password (which we require them to do every few months). The problem is that when they change their password on their desktop system, they generally don't then connect their laptop to the wired network and log in with the new password. Thus, they are still logging in "Workstation Only" to the laptop using their old password, which is still cached on the machine, and then their wireless authentication fails. I would love to be able to solve this problem using 802.1X authentication. However, we have tried that several times using the Novell client, and the results have been disastrous.
To make things more interesting, for our students, we use "Dynamic Local User" policies and "Volatile Profiles", meaning that first, when a student logs in, instead of authenticating to eDirectory *and* AD, as soon as the eDir authentication takes place, a local user account is created on-the-fly on the workstation, and then the student is authenticated to that account. This prevents students from logging in using the "Workstation Only" option and gaining additional rights to the workstation. Second, the "Volatile Profile" policy automatically removes the user's local profile (c:\documents and settings\<username>) upon logoff. The problem here is that for wireless laptops (and desktops, in many cases), if we set up a STUDENTS network that uses WPA/WPA2 authentication, we cannot implement the "double-login" process, because students can't log in Workstation Only. So, it becomes a chicken-or-the-egg situation: The student can't log in to the Novell client without an IP address, but the workstation can't get an IP address until the student has logged in.
We have gotten around this by setting up WPA-PSK or WPA2-PSK networks using hidden SSIDs. That allows the workstation to connect to the wireless in the background, since only a password is required. However, this kind of defeats the purpose of wireless security, since if the password were to ever leak out, it would compromise an entire school's wireless network. Machine authentication would REALLY be helpful here as well.
So, if you're still awake after reading this long diatribe, perhaps you can offer some suggestions on how to make this work better? And please, be as basic as possible. :) I know my way around the ArubaOS CLI fairly well, but there are a LOT of commands that I know nothing or next-to-nothing about (remember, only basic training here... most of what I know I learned by experimentation). I'm also not an expert on 802.1X by any means, and I was pretty much lucky to get my RADIUS server up and running after the old one (which was set up before I was here) died. I would love to implement a solution that would require as little hands-on by our site techs as possible, too, since we are short-handed due to budget cuts (isn't everyone?).
If I can provide anymore info, I'll be more than happy to. Thanks in advance!
-- Bryce Newall
Poway Unified School District
San Diego, CA