Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

This thread has been viewed 0 times

  • 1.  Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

    EMPLOYEE
    Posted Jan 24, 2013 06:03 PM

    Hi,

     

    I just attempted to move a master controller for a customer and in doing so, the dot1x clients stopped being able to authenticate.

     

    I think this has something to do with 'enforce machine auth' which is enabled.  There is a whole bunch of macs in the local-userdb which makes me suspicious it is the machine auth.

     

    So what is the best way around this?

     

    If I disable 'enforce machine auth', will the clients still be able to connect if nothing is changed on them?

     

    Does the command "aaa authentication-server internal use-local-switch"  also mean that the machine credentials are created and stored locally as well as the guest accounts?

     

    So what happens in a network if the master goes down without a backup.....one big outage??

     

    Thanks

     

     



  • 2.  RE: Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

    EMPLOYEE
    Posted Jan 24, 2013 06:27 PM

    had a look over the design guide again, and yes, that is one of the things that is lost without master-redundancy.

     

    Appreciate any tips for workarounds.



  • 3.  RE: Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?
    Best Answer

    Posted Jan 24, 2013 10:51 PM

    Yes, as you've discovered, if you use 'enforce machine authentication' and have each controller using the master's database (which by the way is the proper way to configure that or  you'd have mixed experiences depending on the controller users connected to) then you'll lose that functionality if the master is down.  You can setup master redundancy which would synchronize the database and support an outage of one controller.


    To answer your first question, yes you can disable the 'enforce machine authentication' setting without worring about the client configurations......successful connections would just yield the default dot1x role for that profile......However, if your master is down, then you can't change that setting anyways.

     

    I have just learned that there is some machine authentication/caching capabilities in ClearPass as well, but don't have much for details at this time.



  • 4.  RE: Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

    EMPLOYEE
    Posted Jan 25, 2013 01:46 AM

    Thanks for that.  Unfortunately not possible to setup master-redundancy at the moment, though it has become a sales opportunity. :smileywink:

     

    Basically now, I'll remove the machine auth before disconnecting the master.  Hopefully now we can move it during operational hours.

     

    Thanks again