Security

Dear Experts, 

Trying out computer authentication in my lab for a customer. Below are the steps done and issues observed.

1) Cisco switch is used. 3560 with advance ip services
2) AD 2012 is used
3) Dot1x for user auth is working flawlessly
4) Under wired authentication tab, i selected user or computer authentication
5) Now when the user signs out or locks the computer, i can machine auth being done.
6) Machine auth is successful and returned vlan is 100
7) Now below are 2 issues observed
 7a) After sometime (not exactly sure) the line protocol of Vlan 100 is down. The light on the switch is green. I tried pinging the pc but it was not responding and when i saw on the switch the line protocol of Vlan 100 was down. I signed back in the pc, i got the prompt for dot1x, entered the user/pass and this time i the line protocol went up after sucessful USER AUTHENTICATION
 7b) I signed out, and line protocol on Vlan 100 was still up. I pinged the pc, it was pinging successfully. I tried taking the RDP and it immediately brought down the line protocol on Vlan 100

Can someone tell me if this is the desired behavior for machine auth?

------------------------------
owais
------------------------------

VLAN100 going down means the switch thinks there are no longer member ports active in the VLAN. The "light on the switch is green" refers to the port LED I presume. If the physical link is up, it's possible the switch or CPPM tried to do a reauth, and the device did not respond. Access Tracker on CPPM will show that side of the connection, but the switch logs will fill in more details around what happened from the switch perspective.

For RDP, with that being another user login event, I would expect to see a new user auth attempted by the workstation. Is a successful user auth also placed in VLAN 100?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 11, 2022 11:12 AM
From: owais iqbal
Subject: Cisco Switch | Machine Authentication | Line protocol down

Dear Experts, 

Trying out computer authentication in my lab for a customer. Below are the steps done and issues observed.

1) Cisco switch is used. 3560 with advance ip services
2) AD 2012 is used
3) Dot1x for user auth is working flawlessly
4) Under wired authentication tab, i selected user or computer authentication
5) Now when the user signs out or locks the computer, i can machine auth being done.
6) Machine auth is successful and returned vlan is 100
7) Now below are 2 issues observed
 7a) After sometime (not exactly sure) the line protocol of Vlan 100 is down. The light on the switch is green. I tried pinging the pc but it was not responding and when i saw on the switch the line protocol of Vlan 100 was down. I signed back in the pc, i got the prompt for dot1x, entered the user/pass and this time i the line protocol went up after sucessful USER AUTHENTICATION
 7b) I signed out, and line protocol on Vlan 100 was still up. I pinged the pc, it was pinging successfully. I tried taking the RDP and it immediately brought down the line protocol on Vlan 100

Can someone tell me if this is the desired behavior for machine auth?

------------------------------
owais
------------------------------

Original Message:
Sent: 1/11/2022 11:29:00 AM
From: cclemmer
Subject: RE: Cisco Switch | Machine Authentication | Line protocol down

VLAN100 going down means the switch thinks there are no longer member ports active in the VLAN. The "light on the switch is green" refers to the port LED I presume. If the physical link is up, it's possible the switch or CPPM tried to do a reauth, and the device did not respond. Access Tracker on CPPM will show that side of the connection, but the switch logs will fill in more details around what happened from the switch perspective.

For RDP, with that being another user login event, I would expect to see a new user auth attempted by the workstation. Is a successful user auth also placed in VLAN 100?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 11, 2022 11:12 AM
From: owais iqbal
Subject: Cisco Switch | Machine Authentication | Line protocol down

Dear Experts, 

Trying out computer authentication in my lab for a customer. Below are the steps done and issues observed.

1) Cisco switch is used. 3560 with advance ip services
2) AD 2012 is used
3) Dot1x for user auth is working flawlessly
4) Under wired authentication tab, i selected user or computer authentication
5) Now when the user signs out or locks the computer, i can machine auth being done.
6) Machine auth is successful and returned vlan is 100
7) Now below are 2 issues observed
 7a) After sometime (not exactly sure) the line protocol of Vlan 100 is down. The light on the switch is green. I tried pinging the pc but it was not responding and when i saw on the switch the line protocol of Vlan 100 was down. I signed back in the pc, i got the prompt for dot1x, entered the user/pass and this time i the line protocol went up after sucessful USER AUTHENTICATION
 7b) I signed out, and line protocol on Vlan 100 was still up. I pinged the pc, it was pinging successfully. I tried taking the RDP and it immediately brought down the line protocol on Vlan 100

Can someone tell me if this is the desired behavior for machine auth?

------------------------------
owais
------------------------------

From your comments, the pc is accessible for some time after initial authentication, correct?

There are two problems as I understand it:
1) Workstation performs machine auth, after some amount of time is disconnected and switch vlan (vlan100) goes down.
2) Workstation is machine authenticated and reachable, attempting to RDP into the workstation causes a disconnect from vlan100.

Are there additional problems?

For issue #1, switch logs will be needed to put together the events occuring between the successful machine auth and when the device becomes unreachable.

For issue #2, the RDP login should trigger the workstation to perform a user auth (to replace the existing machine auth). If the user auth results in the workstation being moved to a different vlan, that would explain why RDP is not successful and why you see vlan100 transition to down. If both user and machine auth should result in a connection to vlan100, then as with issue #1 logs from the switch will help understand what is being carried out by the switch.​​​

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 11, 2022 11:33 AM
From: owais iqbal
Subject: Cisco Switch | Machine Authentication | Line protocol down

why pc will not respond if its configured for user or computer authentication?

Best Regards

Owais Iqbal

CCIE#37956 | ACDX 

Technical Consultant - Aruba Networks

Mob/Whatsapp: +92-321-2960496

Original Message:
Sent: 1/11/2022 11:29:00 AM
From: cclemmer
Subject: RE: Cisco Switch | Machine Authentication | Line protocol down

VLAN100 going down means the switch thinks there are no longer member ports active in the VLAN. The "light on the switch is green" refers to the port LED I presume. If the physical link is up, it's possible the switch or CPPM tried to do a reauth, and the device did not respond. Access Tracker on CPPM will show that side of the connection, but the switch logs will fill in more details around what happened from the switch perspective.

For RDP, with that being another user login event, I would expect to see a new user auth attempted by the workstation. Is a successful user auth also placed in VLAN 100?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 11, 2022 11:12 AM
From: owais iqbal
Subject: Cisco Switch | Machine Authentication | Line protocol down

Dear Experts, 

Trying out computer authentication in my lab for a customer. Below are the steps done and issues observed.

1) Cisco switch is used. 3560 with advance ip services
2) AD 2012 is used
3) Dot1x for user auth is working flawlessly
4) Under wired authentication tab, i selected user or computer authentication
5) Now when the user signs out or locks the computer, i can machine auth being done.
6) Machine auth is successful and returned vlan is 100
7) Now below are 2 issues observed
 7a) After sometime (not exactly sure) the line protocol of Vlan 100 is down. The light on the switch is green. I tried pinging the pc but it was not responding and when i saw on the switch the line protocol of Vlan 100 was down. I signed back in the pc, i got the prompt for dot1x, entered the user/pass and this time i the line protocol went up after sucessful USER AUTHENTICATION
 7b) I signed out, and line protocol on Vlan 100 was still up. I pinged the pc, it was pinging successfully. I tried taking the RDP and it immediately brought down the line protocol on Vlan 100

Can someone tell me if this is the desired behavior for machine auth?

------------------------------
owais
------------------------------