My Client Supplicants are Window XP and configured to authenticate as computer when computer information is available. The supplicants are using WPA2-AES with 802.1x PEAP-MSCHAPv2. The Aruba Controller is not configured to enforce Machine Authentication (i.e. Enforce Machine Authentication is Disabled). Microsoft NPS is used as the RADIUS server. NPS communicates with Active Directory where the user and machine credentials reside.
With this configuration authentication using machine credentials works fine for several weeks, then the XP supplicants begin to fail 802.1x machine authentication (as a domain computer). Connecting these machines to the network via their wired Ethernet ports and logging into the domain seems to do something to these machines so that we can log out, disconnect the wired Ethernet connection, enable the wireless NIC and once again 802.1X authenticate at both the machine and user level.
At first I thought the issue had to do with the "Machine Authentication Cache Timeout" setting in the 802.1X authentication profile so we set the timeout to it's maximum of 41 days. These same XP machines are still failing after several weeks.
Has anyone encountered this problem before or have any suggestions?
When you say machine authentication credential you mean user authentication credential right?
Becase thats what we use on EAP PEAP
On the NPS are you putting just the User group ?
you arent puttting any machine group right?
Is the NPS local? or is it a remote NPS on another site? what is the deployment look like
The topology is:
(2) redundant 3600 masters
(4) 3600 LMS
(1) 4600 N+1 backup LMS for any of the LMS 1-4
(408) AP-105 throughout (22) buildings
- SSID is using 802.1x authentication and we are doing both machine (computer) and user authentication.
- Active Directory servers as well as NPS are located at the core of the network where all the Aruba 3600's are located
Wireless laptop running XP boots up, authenticates as a machine (computer) and is sitting at the login prompt. Domain user logs into the laptop and authenticates and if successful gets placed in the "authenticated" role.
This all works for a period of time, maybe 2-3 weeks then for some reason the laptop can no longer authenticate as a machine (computer). Since the laptop can's authenticate it doesn't receive a DHCP address so users cannot log into the laptop either.
Customer connects the laptop into a wired network port, laptop obtains a DHCP address, user successfully logs in. Laptop can now authenticate once again on the wireless network as a machine (computer) and users can log in.
I've deployed many 802.1x authenticated networks this very same way but never run across this situation.
Hope this helps clarify the behavior we're seeing.
Okay there is something wrong here
As far i know you cannot authenticatea machine unless you are using enforce machine authentication
When you using EAP PEAP the NPS is just authenticating user and password Thats it nothing else...
Now you can authenticate the network card of your machine with mac address authentication( and i say network card because thats what is doing)... plus like i said before is not recommended using that...
Do you have on your NPS rule also a Machine group in there or just a user group? you should just have a user group and thats it.
If you want to authenticate machine yhou have to turn on enforce machine authentication and have that computer group on a separate rule on the NPS.... you have to be careful also with the cache time you will provide to the users....
Not sure if I'm missing something here or not. I have NPS set to send back an attribute called "domain computer" when the laptop is turned on and before someone logs into the laptop. The group "domain computers" in AD triggers this.
Once a valid user logs into the laptop we promote the device into the "authenticated" role. When a user logs out, the machine returns back to the "domain computer" role.
The above works without "enforce machine authentication" set. Without "enforce machine authentication" set you can allow for non-domain devices to be connected and perhaps place that session into a "guest role" etc.
Enabling "enforce machine authentication" makes it so only domain devices can be connected etc. i.e. Employees can't bring in their ipad or personal laptop and connect to the 802.1x authenticated SSID.
The fact is the way I have this configured works well except every 2-3 weeks the XP laptops stop authenticating until they are connected to a wired network connection.
Your issue may be that the Windows machine account password is expiring (default every 30 days) and this is causing 802.1X machine auth to fail. You should try extending or disabling the machine account password expriation via Group Policy.
Thank you!!! I do believe this is the issue I am seeing. The article you posted states this is not an issue with Win7 and we don't see this issue on Win7 devices. I will test it out!!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.