ArubaOS and Controllers

Reply
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

We're experimenting with disabling certificate validation on problem clients but it is also too early to tell.

When I created our CA I used standard edition Windows and did have problems generating proper server certs. The CA is now running Enterprise edition and I have more options available to me. I wonder if I should generate the certs for our radius servers again?
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

I want to also re-generate the certificate but can't risk it in a live environment. Disabling the validation seems to have worked for us but it is a security hole as described above.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

I think you can safely generate a new certificate for your radius servers. It won't automatically use this cert until you modify the PEAP policy settings in IAS. Then you've got the option of reverting back to the previous certificate if it proves faulty.

I hope to try this myself on our backup radius server and will let you know.
Highlighted
New Contributor

Re: PEAP clients occasionally unable to logon...

We are seeing this problem as well In a 802.1x environment. looks like; and we are testing now Service Pack three for Windows xp has a roll up fix for group policy being dropped.These are the errors in the logs Microsoft say the problem is casued by a transient network error
http://support.microsoft.com/kb/929624/
Highlighted
Aruba Employee

Re: PEAP clients occasionally unable to logon...

Since this is seeming more radius server certificate related than anything else (GPO, client machine cert, etc). Another possible fix for this is to enable EAP Termination on the Aruba controller. The cert would then live on the Aruba controller and all the EAP would happen there too. Only plain RADIUS (or LDAP) requests would go to the auth server.

I'm going to test this theory with one of my problem customers and report back to this thread.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

I'd be very interested in knowing the results of EAP termination and how you go about transitioning the configs to it. Since suspecting our Radius servers weren't provisioned properly EAP termination looked like a good alternative.

Jason
Highlighted
Occasional Contributor I

Re: PEAP clients occasionally unable to logon...

I am having this same problem as well to some degree. I have tickets opened with Aruba and with Microsoft on this. I think it's hard to track it down because it seems like it could be 2 different things causing this. One of which is the maximum machine account age is set to 30 days by default although it seems like this happens sooner than that, when this happens only plugging into the LAN will refresh group policy and get it connected again. The other I'm not sure, but rebooting a laptop usually takes care of it and this is what I want to figure out.

I work in K-8 school with laptop carts and this 30 day thing is very possible because of the long breaks we have. The users that experience it the most seem to be the ones who don't use the carts as much as others as well.

As for XP SP3, I ran that on all my machines last summer thinking that would take care of this problem and it's still happening. There are some registry keys that need to be set to force windows to connect before bringing up the logon prompt as well. What about that force machine authentication setting in the AAA profile on the aruba controller? I'm very interested to see what you guys come up with.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

Interested to see how the termination on the aruba works also. I'd gladly try switch to this.

In the meantime, question for ya'll. Does anyone else have clients auto enrolling for certificates on their domain? Not sure if this is related at all but we have clients autoenrolling their machine certificate with the CA on every logon. Easy way to check is to look in your CA at issued certificates. If there is one listed for every machine, it's on. Curious to see if I'm the only one.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

No autoenrollment here. Presumably that's only needed for EAP-TLS authentication so the client can prove its authenticity?

The only deployment we had was the certificate for our CA pushed to all clients as part of group policies.
Highlighted
Aruba Employee

Re: PEAP clients occasionally unable to logon...

So any update to your disabling "validate server cert" checkbox?
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: