ArubaOS and Controllers

Reply
Highlighted
All-Decade MVP 2020

802.1X Problems With Enforce Machine Auth.

I am having the same problem until recently open a case with Support. After escalation, I worked with a very knowledge engineer to solve my problem.

1. Check profile authentication dot1x:
show aaa authentication dot1x
802.1X Authentication Profile "DOT1X-STRICT-PF"
-----------------------------------------------
Parameter Value
--------- -----
Enforce Machine Authentication Enabled
Machine Authentication: Default Machine Role COMPUTER-ROLE
Machine Authentication Cache Timeout 12 hrs
I am enforce machine authentication and when a machine pass the authentication, “COMPUTER-ROLE” is assigned.

2. Check the role:
show rights COMPUTER-ROLE
Derived Role = 'COMPUTER-ROLE'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 54/0
Max Sessions = 65535

access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
For the purpose of troubleshooting, make sure this COMPUTER-ROLE is allow all. After everything work you can limit this role.
To assign allowall to COMPUTER-ROLE:

user-role COMPUTER-ROLE
session-acl allowall position 1


3. Testing: Turn on the laptop, wait for few minutes, do not logon. You should see the laptop get “802-1x-Machine” auth with role “COMPUTER-ROLE”

(Master) # show user | include
172.18.50.195 00:1c:bf:14:d6:07 host/mylaptop.mydomain.com COMPUTER-ROLE 00:00:01 8021x-Machine MY.AP.NAME Associated ssid_wpa/00:1a:1e:af:ec:61/g MY-AAA-PF

Logon to the domain, the role should change to 802.1x EMPLOYEE-ROLE. This user DO NOT need CACHE CREDENTIAL to logon.

(Master) # show user | include
172.18.50.195 00:1c:bf:14:d6:07 DOMAIN\username EMPLOYEE-ROLE 00:00:06 802.1x My.AP.NAME Associated ssid_wpa/00:1a:1e:af:ec:61/g MY-AAA-PF

Good luck!
~Trinh Nguyen~
Boys Town
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

Sorry for the additional questions. I'm testing EAP-TLS which works for machines once they have their machine cert. But once the user logs on the connection fails because the user does not have a certificate already on the machine.

Our users swap and move between laptops all the time so getting individual certs on all the machines is not really going to happen. (We can do autoenrollment for the machine certs).

So presumably you guys who've moved to EAP-TLS are only authenticating the machine on the wireless network? If so could you share the Aruba side configuration? With PEAP we're currently authenticating the machine into the computer role and the user into employee role.

Edit:

Ok so in my test domain I've found where to set authentication to 'Computer Only', however we're not currently using GPO to configure wireless settings. Is there an alternative way to configure this manually on clients?
Highlighted
Guru Elite

Request Certificates

Jason,

You would have to go to the Microsoft Certificate server using the URL https:///CertSrv and request a certificate manually...

Go to the page here: http://technet.microsoft.com/en-us/library/bb727098.aspx and look for "Accessing Certificate Services in a Browser", and it will tell you how to do this.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

Thanks, I know how to get certificates (both machine and user). If we moved to EAP-TLS I wouldn't want to enrol users however - only utilise machine certificates, which I think is what's been discussed earlier. My confusion was about how EAP-TLS would work without user certificates, but it appears through GPO you can tell the EAP process on clients to only authenticate the computer and never the user.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

I've been migrating laptops to EAP-TLS using autoenrollment and found that group policies for computer settings (not user settings) do not apply properly on wireless connections because the machine tries to update the GP before the network is fully initialised. There is a Microsoft KB about this here: http://support.microsoft.com/kb/840669/en-us.

I tried the registry fix and it worked for my test laptop. Interestingly I am now wondering if this same issue was the cause of our occasionally logon problems with laptops configured for PEAP!? It would seem to fit the pattern and Microsoft list some domain not available errors that fit.

I'm going to look into changing the GP timeout across our network and will see what happens.
Highlighted
Occasional Contributor I

Problems with "Domain unavailable"

We have been working on this issue for quite a while now. We have determined multiple issues that impact our users. One of the major issues for us is that we are still using some older XP laptops with between 512mb and 1g of memory. When the machine boots up, the machine auths just fine. The problem comes when the AntiVirus client kicks off, in our case it consumes 100% of the CPU and on top of that Windows updates kick off. When these two things happen, the user always ends up getting "domain unavailable". The user is unable to auth.

On our new machines, that have 1g to 2g of memory and faster CPUs, we rarely see this problem.

We actually had a couple of guys from Microsoft come out and look into the problem for us. They had some nice tools that logged everything going on and then was able to present everything in a nice graphical time line that showed when a process started then stopped and how much resources it was consuming.

We are using PEAP to auth.
Highlighted
Aruba Employee

Problems with "Domain unavailable"

Would you be able to name the tools that you have alluded to below?

" We actually had a couple of guys from Microsoft come out and look into
the problem for us. They had some nice tools that logged everything
going on and then was able to present everything in a nice graphical
time line that showed when a process started then stopped and how much
resources it was consuming."

-michael
Highlighted
Aruba Employee

Re: PEAP clients occasionally unable to logon...


We have been working on this issue for quite a while now.
We actually had a couple of guys from Microsoft come out and look into the problem for us. They had some nice tools that logged everything going on and then was able to present everything in a nice graphical time line that showed when a process started then stopped and how much resources it was consuming.

We are using PEAP to auth.





Jason, good to see you on the forums.

In the case I was dealing with, it was without a doubt that the machine was failing the machine account password. The logs proved this. Thus, we converted them from PEAP to EAP-TLS and the issue seems to have been fixed, per the Microsoft KB article posted earlier in this thread.

This was because the school district I was working with was not caching profiles on the machines....each machine was a "just grab it from the pile" and the user would be required to auth to the domain for access...no local accounts. If the user accounts had been cached on the laptop, then user auth would have worked and the machine account password could have been updated at that time.

I'm really curious what was different between say, your PEAP installation and their PEAP installation where the machine account password would get out of sync.
Highlighted
Occasional Contributor II

Re: PEAP clients occasionally unable to logon...

It might be that we have the same machine auth timeout with our PEAP clients. Today I noticed 5 users all in the default 802.1x role which is logon. Looking over the radius logs on the IAS server I see a passed authentication for the user but not the machine. I never see failures in the security logs on IAS as you described.

I've been migrating some machines to EAP-TLS with autoenrolled machine certs but haven't done user certs and therefore we're only authenticating the device on the network. This is ok to a degree but I'd prefer to auth the users. (I'm reluctant to enable user certs because our campus has over 10,000 staff and I have no idea what the impact would be). As part of rolling out EAP-TLS I was finding wireless laptops weren't getting the group policy and this led me to the findings detailed in my previous post.

We seem stuck between a rock and a hard place, wanting to be able to report on users logged on the wireless system but needing to authenticate the machine as well. (Previously we had people logging on with their iPhones because we were only doing user auth).

Edit:

I've started testing EAP-TLS with user certificates and it seems ok. I am slightly concerned about any overheads on AD because we'll not restrict the enrollment to only wireless users.
Highlighted
Occasional Contributor I

Re: PEAP clients occasionally unable to logon...


Jason, good to see you on the forums.

I'm really curious what was different between say, your PEAP installation and their PEAP installation where the machine account password would get out of sync.




Hi Brian,
If you want my configs or any information from my side to compare with. Just let me know and I will send it over your way.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: