Wireless Access

Reply

Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

Hi,

 

I just attempted to move a master controller for a customer and in doing so, the dot1x clients stopped being able to authenticate.

 

I think this has something to do with 'enforce machine auth' which is enabled.  There is a whole bunch of macs in the local-userdb which makes me suspicious it is the machine auth.

 

So what is the best way around this?

 

If I disable 'enforce machine auth', will the clients still be able to connect if nothing is changed on them?

 

Does the command "aaa authentication-server internal use-local-switch"  also mean that the machine credentials are created and stored locally as well as the guest accounts?

 

So what happens in a network if the master goes down without a backup.....one big outage??

 

Thanks

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

had a look over the design guide again, and yes, that is one of the things that is lost without master-redundancy.

 

Appreciate any tips for workarounds.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba

Re: Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

Yes, as you've discovered, if you use 'enforce machine authentication' and have each controller using the master's database (which by the way is the proper way to configure that or  you'd have mixed experiences depending on the controller users connected to) then you'll lose that functionality if the master is down.  You can setup master redundancy which would synchronize the database and support an outage of one controller.


To answer your first question, yes you can disable the 'enforce machine authentication' setting without worring about the client configurations......successful connections would just yield the default dot1x role for that profile......However, if your master is down, then you can't change that setting anyways.

 

I have just learned that there is some machine authentication/caching capabilities in ClearPass as well, but don't have much for details at this time.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Moving a master controller, then dot1x clients can't authenticate. machine authentication issue?

Thanks for that.  Unfortunately not possible to setup master-redundancy at the moment, though it has become a sales opportunity. :smileywink:

 

Basically now, I'll remove the machine auth before disconnecting the master.  Hopefully now we can move it during operational hours.

 

Thanks again


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: