Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How to disable machine authentication on a BYOD SSID

Jump to Best Answer
  • 1.  How to disable machine authentication on a BYOD SSID

    Posted Feb 15, 2015 09:32 PM

    Hi,

     

    We are using a SSID for BYOD clients. Also, 802.1x authentication is in place. Users are required to enter thier active directory username and password to login to wireless network. We are using EAP-PEAP. The issue we are facing is follows:

     

    (1) A client logs in to wireless network and gets a vlan which is set default in VAP profile. However we are using server rules on the controller. 

     

    (2) The user must be put in to a vlan according to the rules specified. I have read on a aruba support forum that if machine authentication fails the user has been put in default vlan specified under vap profile. Because machine information for BYOD devices are not present on our active directory thus most of the clients are put in default vlan though they should be assigned vlan according to server rules based on radius attribute. This does not happen with all the clients but initial login always puts a client in defualt vlan in result of which a user shows up twice on the controller having IP addresses from both the vlans such as 172.16.0.3 and 192.168.100.3.

     

    Any ideas what might be causing it? It appears that clients are later put into the respective vlans but at initial login they get IP from default vlan.



  • 2.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 15, 2015 09:33 PM

    Following is the link which talks about default VLAN:

     

    http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php



  • 3.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 15, 2015 09:34 PM

    Please post your server rules.



  • 4.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 15, 2015 09:36 PM
      |   view attached

    Attached.



  • 5.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 15, 2015 10:12 PM

    It looks like you have "Enforce Machine Authentication" enabled in your 802.1x profile.  When "Enforce Machine Authentication" is enabled, the server rules are ignored unless a device passes BOTH user AND machine authentication.  That means BYOD devices will never have those server derivation rules executed, because they will never pass machine authentication.  Users who do not pass machine authentication will get the 802.1x enforce machine authentication user role.  If there is a VLAN defined in the Virtual AP, they will get that VLAN.

     



  • 6.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 02:23 AM
    Hi,

    Thanks for your response.

    Machine authentication enforcement is not enabled. I have double checked
    it. Also the rules are working properly because I can see in logs users are
    put in role according to the rule specified however this is not the case
    for vlan assignment. Correct vlan assignment works but not for all users.
    Actually it may be working correctly but it creates two user entries on the
    controller. For an example. User is authenticated and then on the
    controller I see that same user has an IP from vlan10 subnet and from
    vlan20 subnet.

    Any further ideas please?

    Farzan Qureshi
    ------------------
    Network Administrator & Helpdesk support
    Rosmini College

    --
    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager (
    admin@rosmini.school.nz). Please note that any views or opinions presented
    in this email are solely those of the author and do not necessarily
    represent those of the company. Finally, the recipient should check this
    email and any attachments for the presence of viruses. Rosmini College
    accepts no liability for any damage caused by any virus transmitted by this
    email.


  • 7.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 04:26 AM

    Looking at your server derivation rules again, I see that you are trying to assign a VLAN and a Role at the same time.  Only the first server derivation rule is evaluated and enforced, so only your Role server derivation rule is being evaluated.  As a test, if you swap the order of the rules, you will see that only the VLAN would be enforced.  If you want to have both the VLAN and the Role changed, the best thing to do is to return an Aruba VSA from the Radius Server.  With a VSA on the radius server you can send multiple attributes like a role and a VLAN at the same time.  With server derivation rules, it only evaluates the first rule.   A VSA would completely replace server derivation rules on the controller.

     

    Which radius server do you have?

     



  • 8.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 04:48 AM
    That must be the case!

    We are running NPS server on Windows Server 2008 R2. How I can add VSA to
    NPS server?

    --
    *Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
    College | (09) 487 0 530

    --
    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager (
    admin@rosmini.school.nz). Please note that any views or opinions presented
    in this email are solely those of the author and do not necessarily
    represent those of the company. Finally, the recipient should check this
    email and any attachments for the presence of viruses. Rosmini College
    accepts no liability for any damage caused by any virus transmitted by this
    email.


  • 9.  RE: How to disable machine authentication on a BYOD SSID
    Best Answer

    Posted Feb 16, 2015 05:03 AM


  • 10.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 03:30 PM
    Hi,

    If you check the server rules, there are two rules which puts the client in
    Authenticated role in vlan 117. This rule is working without any issues.
    There are two rules. One rule puts the client in Authenticated role and the
    other puts the authenticated user to 117 vlan. This makes me think that
    rules are working alright. It is not like that it matches only first rule
    (I am having a feeling of it) that it matches all available rules.
    Otherwise the user will get the authenticated role and the vlan would be 2.
    Because vlan 2 is the default vlan assigned in vap profile.

    Any further ideas?

    --
    *Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
    College | (09) 487 0 530

    --
    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager (
    admin@rosmini.school.nz). Please note that any views or opinions presented
    in this email are solely those of the author and do not necessarily
    represent those of the company. Finally, the recipient should check this
    email and any attachments for the presence of viruses. Rosmini College
    accepts no liability for any damage caused by any virus transmitted by this
    email.


  • 11.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 06:50 PM

    Thanks for sharing the link. I have sorted the issue by getting an idea from the link. It appears that it is working now and override server rules if attributes are provided from RADIUS server.

     

    Thanks for your help.



  • 12.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 06:54 PM
    Only the first rule is processed. It is possible that in the AAA profile the default 802.1x role is authenticated, so unless a VSA or server rule changes it, that is what it will always be.


  • 13.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 06:57 PM
    If the 802.1x default role is authenticated, that is what it will always be unless a VSA or server derivation rule changes it. Only a single server derivation rule is applied (first match).


  • 14.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 08:04 PM

    It didn't solve the problem. I can still see two IPs from different vlan on the controller. I suspect that there is a bug in code version?



  • 15.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 08:06 PM
    Did you turn on user debugging to see why that is happening?


  • 16.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 08:08 PM
    Sorry no. Would you please guide me how to enable user debugging?

    --
    *Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
    College | (09) 487 0 530

    --
    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager (
    admin@rosmini.school.nz). Please note that any views or opinions presented
    in this email are solely those of the author and do not necessarily
    represent those of the company. Finally, the recipient should check this
    email and any attachments for the presence of viruses. Rosmini College
    accepts no liability for any damage caused by any virus transmitted by this
    email.


  • 17.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 16, 2015 09:09 PM

    You would do this:

     

    config t
    logging level debugging user-debug <mac address of device>

     You would then connect and when you are done, type:

    show log user-debug all

     To reset a device's session so that you start from scratch, disconnect the device, then type:

    aaa user delete mac <mac address>

     



  • 18.  RE: How to disable machine authentication on a BYOD SSID

    Posted Feb 17, 2015 07:01 PM
    Thanks for the information. I will try this and will get back to you.

    --
    *Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
    College | (09) 487 0 530

    --
    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager (
    admin@rosmini.school.nz). Please note that any views or opinions presented
    in this email are solely those of the author and do not necessarily
    represent those of the company. Finally, the recipient should check this
    email and any attachments for the presence of viruses. Rosmini College
    accepts no liability for any damage caused by any virus transmitted by this
    email.