Security

Reply
New Contributor

Re: 802.1x with NPS and windows 7 single sign on

Dear Experts,

 

We too face similar isue with regards to the machine Authentication.

We deployed 3200 controller and 105 AP (12Nos) and 65AP(2Nos--detection purposes) in our environment, and useing DESKTOPS  and LAPTOPS for complete Wireless.

 

We do not have any cable redundency, as we though ARUBA is very much capable to taka cera of all our issues and it the perfect product which works like LAN.

 

Problem is:

computers are not getting in to the network if user is not logged on(AD Auth), hence there is no connection from the Antivirus Server/AD/DHCP/GP.

 

No one from ARUBA tech team figured it our from past 2years.

 

If anyone help me in this regards, please ?????

 

Thanks,

IS Team,

 

 

Highlighted
Guru Elite

Re: 802.1x with NPS and windows 7 single sign on

If Aruba TAC cannot help you, it might help to open a case with Microsoft.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
Frequent Contributor I

Re: 802.1x with NPS and windows 7 single sign on

We have gotten everything working if we use "user or machine" authentication.  We setup a role for machine auth that gives "SOME" access to the network, nothing critical, but the ability to get AV updates, windows updates, and see the AD server, dhcpd, DNS.

 

We have SSO turned on, and when a user logs in, it will switch the role to the correct user role, and give them the correct access.

 

What we have found in testing is sometimes it takes longer for the computer to switch back to the correct role (this is not instant).  So  we have seen a situation where a student logs off, and another student sits down (while the machine is loggin off) and then immediatly logs in, if the student has not logged into this machine before, this may fail.  It appears that when the aruba controller is actively changing the role all access is removed momentarly, and when that happens at the right time we get the login errors...

 

If you wait at least 15 seconds between logins this seems to be a non issue. I know it does not sound like a problem, but every once in a while a log off may take a couple of extra seconds (open apps, etc...).

 

If we have the computers set to ONLY "user authentication" things do not work this nicely... As windows will always attempt to complete a PEAP request even if you are USER only and SSO enabled.  And will simply send the host as the user to the NPS server.  So if you do not have machine authentication on your NPS, authentication fails and windows enables the default block timer of 20 minutes, and will ignore any PEAP authentication requests from the controller....

Highlighted
Guru Elite

Re: 802.1x with NPS and windows 7 single sign on


@danstl wrote:

We have gotten everything working if we use "user or machine" authentication.  We setup a role for machine auth that gives "SOME" access to the network, nothing critical, but the ability to get AV updates, windows updates, and see the AD server, dhcpd, DNS.

 

We have SSO turned on, and when a user logs in, it will switch the role to the correct user role, and give them the correct access.

 

What we have found in testing is sometimes it takes longer for the computer to switch back to the correct role (this is not instant).  So  we have seen a situation where a student logs off, and another student sits down (while the machine is loggin off) and then immediatly logs in, if the student has not logged into this machine before, this may fail.  It appears that when the aruba controller is actively changing the role all access is removed momentarly, and when that happens at the right time we get the login errors...

 

If you wait at least 15 seconds between logins this seems to be a non issue. I know it does not sound like a problem, but every once in a while a log off may take a couple of extra seconds (open apps, etc...).

 

If we have the computers set to ONLY "user authentication" things do not work this nicely... As windows will always attempt to complete a PEAP request even if you are USER only and SSO enabled.  And will simply send the host as the user to the NPS server.  So if you do not have machine authentication on your NPS, authentication fails and windows enables the default block timer of 20 minutes, and will ignore any PEAP authentication requests from the controller....


The advice is to give your computer role "allowall" access, because it usually represents a device that is at the ctrl-alt-delete screen.

 

We don't want any background processes like authentication/authorization to fail, which would prevent a user not previously logged on to get on.  I am not sure what that SSO button does, anyway....

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
Frequent Contributor I

Re: 802.1x with NPS and windows 7 single sign on


@cjoseph wrote:

@danstl wrote:

We have gotten everything working if we use "user or machine" authentication.  We setup a role for machine auth that gives "SOME" access to the network, nothing critical, but the ability to get AV updates, windows updates, and see the AD server, dhcpd, DNS.

 

We have SSO turned on, and when a user logs in, it will switch the role to the correct user role, and give them the correct access.

 

What we have found in testing is sometimes it takes longer for the computer to switch back to the correct role (this is not instant).  So  we have seen a situation where a student logs off, and another student sits down (while the machine is loggin off) and then immediatly logs in, if the student has not logged into this machine before, this may fail.  It appears that when the aruba controller is actively changing the role all access is removed momentarly, and when that happens at the right time we get the login errors...

 

If you wait at least 15 seconds between logins this seems to be a non issue. I know it does not sound like a problem, but every once in a while a log off may take a couple of extra seconds (open apps, etc...).

 

If we have the computers set to ONLY "user authentication" things do not work this nicely... As windows will always attempt to complete a PEAP request even if you are USER only and SSO enabled.  And will simply send the host as the user to the NPS server.  So if you do not have machine authentication on your NPS, authentication fails and windows enables the default block timer of 20 minutes, and will ignore any PEAP authentication requests from the controller....


The advice is to give your computer role "allowall" access, because it usually represents a device that is at the ctrl-alt-delete screen.

 

We don't want any background processes like authentication/authorization to fail, which would prevent a user not previously logged on to get on.  I am not sure what that SSO button does, anyway....

 


I would agree with this except that a local user loggin into the computer will (in my testing) end up getting the allow all rule... as opposed to the more restrictive role.  We have also seen that if a user creates a new wifi connection to the system and specifies computer only - they then have full access to the network.  And we can not keep users from being able to create wifi connections, otherwise they would not be able to connect to any non-specified networks.  We would like things to be restrictive as possible unless we know who is actually on the machine.  

 

That being said - as I have stated doing machine/user auth solves the issue with the windows SSO mechinism.

 

Computer access with allow all is like giving everyone a master key to your building, and then "collecting" the key once they enter the building and giving them an individual room key...

Highlighted
Guru Elite

Re: 802.1x with NPS and windows 7 single sign on

Danstl,

 

Thank you for the information.  That is an interesting alternate look at how others are handling security in their environment.

 

I hope others can use your information and learn from it.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
Contributor II

Re: 802.1x with NPS and windows 7 single sign on

We are working on this for a few of our laptop lab environments as well. We do have the requirement to allow users to log in against AD for the first time.  Machine auth is currently out as we've offloaded EAP from NPS to the controllers and my understanding is that this will not allow for machine based auth. 

 

I've got it working most of the time, with the exception of the occasional login attempt failure due to no available DCs (normally right after boot), but a subsequent login attempt works just fine.  I'm just bothered that it claims not to connect to the SSID but does seconds later.  Is anyone else seeing this behavior?

 

I have also tried enabling the local security/gp: "Always wait for the network at computer startup and logon" which seems to not make much sense.

 

Admittedly, I've found there are some known issues with this approach on Win 7 - I am curious if there are other things we've missed and/or solutions others have found to the issues below:

-Immediately after Ctrl-alt-Del, you'll get prompted to select "Other user", which is a seemingly unnecesary step.

-There will be implications to Computer Level GPOs being applied.  If the machine isn't connect to the network on boot, it may take some time and reboots to recieve the GPO and subsequently apply computer level settings.

-Occasional reported 'miss'/no DC error connecteting to wireless on first attempt

 

On the other hand:

-As pointed out, the only people getting onto the network and assigned a role are authenticated users.

-You don't have clients that have been powered on but not in use connected to your network and/or using spectrum.

 

This is one of the better written articles I've found:

http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

 

 

I am curious to hear about the experiences of others taking the 802.1x with NPS and windows 7 single sign on approach.

 

 

 

Kevin Schoenfeld

Highlighted
Guru Elite

Re: 802.1x with NPS and windows 7 single sign on


@kjspgd wrote:

We are working on this for a few of our laptop lab environments as well. We do have the requirement to allow users to log in against AD for the first time.  Machine auth is currently out as we've offloaded EAP from NPS to the controllers and my understanding is that this will not allow for machine based auth. 

 

I've got it working most of the time, with the exception of the occasional login attempt failure due to no available DCs (normally right after boot), but a subsequent login attempt works just fine.  I'm just bothered that it claims not to connect to the SSID but does seconds later.  Is anyone else seeing this behavior?

 

I have also tried enabling the local security/gp: "Always wait for the network at computer startup and logon" which seems to not make much sense.

 

Admittedly, I've found there are some known issues with this approach on Win 7 - I am curious if there are other things we've missed and/or solutions others have found to the issues below:

-Immediately after Ctrl-alt-Del, you'll get prompted to select "Other user", which is a seemingly unnecesary step.

-There will be implications to Computer Level GPOs being applied.  If the machine isn't connect to the network on boot, it may take some time and reboots to recieve the GPO and subsequently apply computer level settings.

-Occasional reported 'miss'/no DC error connecteting to wireless on first attempt

 

On the other hand:

-As pointed out, the only people getting onto the network and assigned a role are authenticated users.

-You don't have clients that have been powered on but not in use connected to your network and/or using spectrum.

 

This is one of the better written articles I've found:

http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

 

 

I am curious to hear about the experiences of others taking the 802.1x with NPS and windows 7 single sign on approach.

 

 

 


kjspgd,

 

Is there a specific reason why you have EAP offloaded from NPS?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
Contributor II

Re: 802.1x with NPS and windows 7 single sign on

Not particularly, other than to leverage the Aruba hardware capability, rather than make our NPS servers work harder than neccesary.

 

At the initial onset of our Aruba deployment, machine auth was not a requirement, nor present in our previous wireless implementation. 

 

I have looked into what it would take to remove the offloading... which isn't much aside from some certificate movement.  I'd like to see the SSO option teased out before moving to machine based auth... unless there are highly compelling things

with machine auth that I am missing. 

 

Is EAP offloading a generally discouraged thing?

 

Kevin Schoenfeld

Highlighted
Guru Elite

Re: 802.1x with NPS and windows 7 single sign on


@kjspgd wrote:

Not particularly, other than to leverage the Aruba hardware capability, rather than make our NPS servers work harder than neccesary.

 

At the initial onset of our Aruba deployment, machine auth was not a requirement, nor present in our previous wireless implementation. 

 

I have looked into what it would take to remove the offloading... which isn't much aside from some certificate movement.  I'd like to see the SSO option teased out before moving to machine based auth... unless there are highly compelling things

with machine auth that I am missing. 

 

Is EAP offloading a generally discouraged thing?

 


EAP offloading is not discouraged, but the limitations when pointing it at an NPS or IAS server are as you mentioned above.  All other Radius servers do not seem to have those limitations.  If you are using NPS or IAS, I would suggest that you just generate a server certificate and turn it off so that you can leverage those features.  Seamless authentication works just fine it quite a few environments that way.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN