02-23-2015 03:12 AM
I have a customer who uses wired docking stations when at desk and wireless when mobile. Wireless is dot1x auth through CPPM. We have enforced Machine Auth so that devices that only auth with user credentials get a deny all role. Machine and user auth gives you full access.
When they unplug their laptop from the docking station, the devices are only performing user auth. If they log off and log on again then the machine auth happens whilst at the windows login screen.
So this brings up three questions:
1) Does the controller cache the machine auth status at all and if so, how long?
2) Is there a way to force a windows machine to do machine AND user auth whenever the state of the network connections change?
3) Does clearpass have a better method of caching the status of the device?
02-23-2015 03:25 AM
Just spotted the 'machine auth cache timeout' in the dot1x profile so I can bump this up. Anyone know if there is a max? I'd like to set this to a really long time as these devices are always going to be allowed on the network, I suspect.
I would still prefer to force a re-auth somehow though.
02-23-2015 03:37 AM
The default is 24 hours and the max is 1000 hours http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm
Unchecking "Enforce Mahine Authentication" and using clearpass to manage the Machine Authentication portion is more flexibile, however: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/td-p/58918/highlight/true/page/2
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base