Please could I have assistance with an authentication issue we are experiencing.
Since replacing our staff laptops we are frequenctly having 802.1X problems. I'm not sure where the problem lies at the moment but the laptops in question use the Intel Centrino Advanced-N 6235 wireless chipset, and 15.6.1 driver.
The main issue appears to when laptops resume from sleep/hibernating don't always machine authenticate. So they are connected to our wireless, but are put our deny_all role. I can see they have user authenticated, but the lack of machine authentication seems to be the problem.
Our wireless settings are set by Group Policy, and the laptops are all Windows 7 x64.
I'm following this up with Samsung and our wireless installer but was hoping by making this post it might highlight some areas to invesitgate we hadn't thought of. I'm not very familar with the advanced 802.1x settings for example in the GPO.
Thanks in advance
When systems resume from sleep; they do not attempt machine authentication; only user authentication. This is by design on Windows. In your dot1X profile, what is the machine cache timeout set at? This can be found on the Advanced tab of the 802.1X Authentication Profile; "Machine Authentication Cache Timeout". This dictates how long the MAC address is cached in the internal dtabase upon successful machine authentication. If set too low, you'll likely see improper role assignment due to the machine not authenticating.
Because these are new laptops, I would also make sure that they are doing both user and machine authentication as well (whether by GPO or manual settings).
As a test, on these same systems, if you restart them, do they get placed in the proper roles? If they do, then your cache timeout is likely the issue. If they do not, the system is likely not set to use both machine and user authentication.
Hi Clembo, thanks for the quick reply.
The cache timeout is currently 48hrs, so I'll look at increasing that value further. It's certainly a problem that happens more after the weekend.
The GPO is configured for both user and machine authentication (screenshot attached). We've never had any problems after restarting one of these laptops.
The your issue is likely the cache timeout set t 48 hours; especially if they are put to sleep/hibernate over a weekend. Increase this to a value that is more suitable to your user's reboot/logoff habits.
Increasing the cache timeout has definately helped the issue, but not completely.
Does this cache get refreshed or will this timeout require machine authentication again after this duration has passed? Reason I ask is I have a laptop I use prodominately in one location and don't regularly reboot or log off. I still experience the problem of being put in the 'deny_all' group occationally and seemly only a reboot of the laptop will get me back on the wireless.
It will only get refreshed after another machine authentication (resets the expiration timer). You can statically add the MAC to the internal database as an alternative; making it appear to have passed machine authentication. Useful for non-domain machines or a situation like you have where the system doesn't reboot often. You could also just schedule a Windows task to restart the system periodically.
I'm not sure users would appreicate a scheduled restart :)
Thanks for clarifying, looks like I either need a -very- long cache timeout, or to add the MAC addresses.
Under which section so I add the MAC addresses?
Just add it to the Internal DB of the controller: Configuration --> Authentication --> Servers --> Internal
You'll see all the other MACs in there; just make a new entry for the static one.
Reading around it looks like any kind of bulk importing of MAC addresses is out of the question?
I went to add one MAC address, looking at the existing entries it look I put the MAC address in the username field, but what would the password be, or is it not used?
Password would be the MAC as well.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.