ArubaOS and Controllers

Reply
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...




Problem still there.

Let me know the results of this:

On the IAS server, load up MMC and the Certificates snap-in. Look in Trusted Root and see if there are certificates for the domain controllers and / or the IAS server itself. If so, how many?

Highlighted
Aruba Employee

Re: PEAP clients occasionally unable to logon...

Ok...I think I found the smoking gun here.

I was troubleshooting with one of my problem customers. After finding a machine that didn't work, and messing around with certificates (none of which were expired or otherwise faulty), I looked at the "show auth-tracebuf" command which showed that the machine was just stopping mid-auth and starting over, over and over. No logs at all in the Event Viewer System logs...which is where you'd normally find IAS logs.

However, finally on a whim I checked the "Security" logs in the same Event Viewer (the event viewer on the IAS server). and wha-laa....I found a failed machine account auth attempt to the domain. This is why the machine is failing Machine Authentication. Please see the attached screenshot.

So...to you others having this issue, please check the security logs when you have a machine that you're actively troubleshooting. In my experience, the security logs roll quickly (at least daily) so this may mean you being there in real-time or close to it. I'd like to correlate this with the other problems here.

And so sum all of this up, take a look at this Microsoft KB on the matter. Basically, it says to use User Auth which will succeed and then update the computer password (this assumes that there are cached credentials, which in my case the client isn't using cached creds) or convert them to EAP-TLS.....looks like PEAP is the issue with ongoing Machine Auth. Interesting.

http://support.microsoft.com/kb/904943

I'd be curious to other's comments regarding that Microsoft KB.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...


Ok...I think I found the smoking gun here.

I was troubleshooting with one of my problem customers. After finding a machine that didn't work, and messing around with certificates (none of which were expired or otherwise faulty), I looked at the "show auth-tracebuf" command which showed that the machine was just stopping mid-auth and starting over, over and over. No logs at all in the Event Viewer System logs...which is where you'd normally find IAS logs.

However, finally on a whim I checked the "Security" logs in the same Event Viewer (the event viewer on the IAS server). and wha-laa....I found a failed machine account auth attempt to the domain. This is why the machine is failing Machine Authentication. Please see the attached screenshot.

So...to you others having this issue, please check the security logs when you have a machine that you're actively troubleshooting. In my experience, the security logs roll quickly (at least daily) so this may mean you being there in real-time or close to it. I'd like to correlate this with the other problems here.

And so sum all of this up, take a look at this Microsoft KB on the matter. Basically, it says to use User Auth which will succeed and then update the computer password (this assumes that there are cached credentials, which in my case the client isn't using cached creds) or convert them to EAP-TLS.....looks like PEAP is the issue with ongoing Machine Auth. Interesting.

http://support.microsoft.com/kb/904943

I'd be curious to other's comments regarding that Microsoft KB.




I think you nailed it for sure. I suspected machine accounts but didn't see any evidence. I also do not cache credentials. I wonder if everyone experiencing the problem has caching off. May try to change over to EAP-TLS or turn on caching. My problem with turning on caching is if a laptop is off the wireless, and the user does login, no group policy is applied!
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...




And as a follow up to this. I just realized I have about 7 machines where caching is ON and they've NEVER had this problem. This is certainly it. Good job, bjwhite!

Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

Great work!!

This does seem to fit as when we disabled 'enforce machine auth' users could get connectivity. However their roaming profile would still fail because until they got to the desktop (or part way through logging on) the laptop would be passing its own credentials.

Because I want to control which devices get access then going with user only auth is out of the question. I'm going to start looking at EAP-TLS.

I'll check those security logs and confirm if I see the same error the next time a device has issues.

Jason
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

Can anyone offer some insight on changing to the EAP-TLS using IAS? I'm not terminating on the Aruba controller. All of the clients already have they're own certificates because of auto-enrollment.
Highlighted
Occasional Contributor I

Re: PEAP clients occasionally unable to logon...

I've been going back and forth with Microsoft about this over the past few weeks. At first they were trying to pin this on the 30 day machine account timeout policy but that is not the problem. By saying that these machines were being left untouched for 30+ days is nearly impossible in a classroom environment. The reason why it works with cached credentials is because if you are not enforcing machine auth on your aruba controller, once the user authenticates with their username/password, this will be used to authenticate the user on the WLAN. With machine auth enforcement disabled, the controller will accept either machine auth or user auth credentials for wifi access. If that user logged out, and then another user that hasn't logged into that notebook before tries to log in, he will get a domain not available message. I verified this on one of my notebooks.

My problem is, I have multiple users using the same notebook so cached credentials is not the fix, the fix has to be correcting the machine auth problem. I looked into EAP-TLS but it doesn't seem to be natively supported by XP? The only thing I can come up with is that I've only seen this problem on older intel wifi chipsets. I've never seen this problem with my clients that were using the Intel 4965AGN chipset. I recently swapped all those clients from the Intel 4965AGN to the Broadcom BCM94321MC chipset for other reasons and I haven't seen that problem with those either. This machines machine authenticate as they should every time. All my other notebooks are running the Intel 3945 or the Intel 2915 chipset. The only question I have for everyone else experiencing this problem is, is this happening on Intel chipsets or other brands as well?
Highlighted
Aruba Employee

Re: PEAP clients occasionally unable to logon...

Another way to solve this problem is using the Juniper Odyssey supplicant. It has a GINA module that allows the user to logon to the network prior to windows domain logon. That serves the same function as the machine logon which is to connect the laptop to the network so the user can be validated against AD. Odyssey also offers a machine logon option with either MS machine credentials, certificate, or account name/pwd.

I know that paying extra for a supplicant isn't popular but I mention it just in case. We use the Odyssey client extensively in US government facilities because it has passed the "FIPS" security standard required by all military and most civilian agencies. Many government laptops run without cached user profiles.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...




I think it is. When you check "Use smartcard or other certificate" it is using EAP at that point. I'm going to test EAP-TLS this afternoon and I'll post any GOOD things I find.

We're using Intel(R) Wireless WiFi Link 5100.

Highlighted
Aruba Employee

Re: PEAP clients occasionally unable to logon...

Correct. "Use SmartCard or other Certificate" is EAP-TLS in Windows XP-speak.
Windows XP natively supports EAP-TLS or PEAP.

I highly doubt that NIC type has anything to do with this problem, j0emv. Cached credentials is NOT the solution if you're using multi-user machines with no cached creds. Because if a user without cached creds tries to log in, you may hit this issue.

The only solution in my mind is to convert to EAP-TLS. There is an outside chance that messing with the machine account password settings could give you some relief too...like extending it from 30 days to 60 days (or greater if possible) or actually disabling machine account password resets altogether....but that may be considered a security issue.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: