Security

This is driving me a bit nutty :)

So we have SSO enabled for our 802.1x network and it works perfectly about 10% of the time :)

We have a computer role setup with limited network access, and a user role that has more.  But a majority of the time the user logs in to the machine it says "unable to connect to <SSID>"  but when I look at the aruba debug for that client it clearly connects, and changes the role appropriatly.

SO in the end there is no issue to the users ability to login, but it just drives me crazy to see that message..

Some background:

We have a digicert SSL cert for our NPS server

We turned off Cert Verification for testing purposes

Enabled SSO from GPO with the correct SSID

If they are all Windows 7 machines, you don't even need to do machine authentication. Just select "Perform immediately before User Logon" and it will use the user's credentials to associate, then make the AD authentication request.

That works fine - unless the user has not already logged into the machine. (in my expirence), (these are actually desktops in question, and we would like them to get GPO updates/windows updates when no-body is logged in.

So we added machine auth that gives some granular access so a new user can still login.

I did notice the clock on the aruba controller is a couple minutes off the rest of my network, but authentication seems to be working fine.  

If I restart the machine the first login always connects to the SSID correctly.  Its only the next user that has an issue.

A new user will work with this configuration. We use this on all campus computers for both wired and wireless 1x without machine authentication.

How are you getting this to work properly?  When we look at the radius logs we see the computer attempt an authentication as soon as it boots up, it does not matter if its set to "user only" or "user or computer".

From reading microsofts documentation it works like this:

If you are set to ONLY user authentication and there is no user logged into the machine, the machine still sends a radius authentication for the machine: host/somecomupter

This then gets rejected by NPS, and then windows (client) enables a block timer of 20minutes (the client will not respond to any other radius requests, but can send a new one)

Therefor what happens with user only authentication is when you first turn a machine on, and login, as a NEW user it will work, most of the time. BUT if you turn the machine on and just let it sit, and then try and login it will fail, because the machine has already attempted to login with the machine credentials and failed, then set the block timer.

For your mobile users they will never see an issue again because the system will use their cached credentials anyway.  We have hundreds of laptops setup with just the SSO / user authentication and it does work - but what we are noticing is the above issues...

Here is our 1x configuration that we push out through group policy. All drives map correctly and GPO's apply without issue.

You mention you have 2 different roles for computers and users; do these correspond to two different VLANs (or VLAN pools) or are they the same VLAN just with different roles/restrictions?  If these use the same VLAN (or VLAN pool) then there is no need to enable SSO at all.  By using "User or Computer" authentication, your computers should authenticate to the network when no one is logged in.  This should allow users (even new users) to log onto the computer and authenticate to AD and get GPOs/Scripts/etc; as the computer is already on the wireless network.  Once the user authenticates, Windows will flip from computer to user logon to the wireless and Aruba will change the role for the user.

clembo: 

that does not work well - because mapped drives will not mount quickly enough and cause "unable to connect all network drives"

We use a single Vlan with different roles (initial role is VERY restrictive, the user role is less restrictive).  So if we do not use SSO then the machine does not switch roles before the login process completes...  The computer role can really only get a DHCP address and see the domain controllers, but no other servers including mapped drives, etc...  SO yes GPOs will work in this config, but drive mapping is clunky...

I understand now, if the computer role restricts access to the fileserver where the mapped drives are (and if it cannot be changed), then yes, my suggestion will not work for you.   However, to respond to your previous post where you mention:

danstl wrote:

If you are set to ONLY user authentication and there is no user logged into the machine, the machine still sends a radius authentication for the machine: host/somecomupter

This then gets rejected by NPS, and then windows (client) enables a block timer of 20minutes (the client will not respond to any other radius requests, but can send a new one)

---

If you have configured the client (or through GPO) to use "User Authentication" then the computer should never try to authenticate.  Even if it did, if you setup NPS policies to allow the computer to authenticate, it should never get rejected.   The block timer you mention of 20 mins; where is that coming from; Aruba?

In any event, SSO should work for your scenario for what you are trying to do.

---

@clembo wrote:

I understand now, if the computer role restricts access to the fileserver where the mapped drives are (and if it cannot be changed), then yes, my suggestion will not work for you.   However, to respond to your previous post where you mention:

---

@danstl wrote:

 

If you are set to ONLY user authentication and there is no user logged into the machine, the machine still sends a radius authentication for the machine: host/somecomupter

This then gets rejected by NPS, and then windows (client) enables a block timer of 20minutes (the client will not respond to any other radius requests, but can send a new one)

---

If you have configured the client (or through GPO) to use "User Authentication" then the computer should never try to authenticate.  Even if it did, if you setup NPS policies to allow the computer to authenticate, it should never get rejected.   The block timer you mention of 20 mins; where is that coming from; Aruba?

 

In any event, SSO should work for your scenario for what you are trying to do.

 

 

---

The Block Timer is built into windows.  Becuause you have a AP deployed VIA GPO even if its set to USER only authentication the system will authenticate because it will attempt to connect to the AP in question and it will send the user credentials as the computer host.  

The SSO works fine  - it is just we see an intermittent issue where someone attempts to login and windows says "unable to connect to <SSID>"  looking at the debug logs in the aruba controller and the radius server we see everything is working as intended...

We we have been able to redily reproduce in a "user" only authentication scenario:

turn on machine

login as a new user

everything works.

Turn on machine

comeback in 15 minutes

login as a new user

unable to connect mesage

Check the logs on the computer and you will see a message about a failed connection attempt for user "host/computername" and a 20min block timer is in effect.

Dear Experts,

We too face similar isue with regards to the machine Authentication.

We deployed 3200 controller and 105 AP (12Nos) and 65AP(2Nos--detection purposes) in our environment, and useing DESKTOPS  and LAPTOPS for complete Wireless.

We do not have any cable redundency, as we though ARUBA is very much capable to taka cera of all our issues and it the perfect product which works like LAN.

Problem is:

computers are not getting in to the network if user is not logged on(AD Auth), hence there is no connection from the Antivirus Server/AD/DHCP/GP.

No one from ARUBA tech team figured it our from past 2years.

If anyone help me in this regards, please ?????

Thanks,

IS Team,

If Aruba TAC cannot help you, it might help to open a case with Microsoft.

We have gotten everything working if we use "user or machine" authentication.  We setup a role for machine auth that gives "SOME" access to the network, nothing critical, but the ability to get AV updates, windows updates, and see the AD server, dhcpd, DNS.

We have SSO turned on, and when a user logs in, it will switch the role to the correct user role, and give them the correct access.

What we have found in testing is sometimes it takes longer for the computer to switch back to the correct role (this is not instant).  So  we have seen a situation where a student logs off, and another student sits down (while the machine is loggin off) and then immediatly logs in, if the student has not logged into this machine before, this may fail.  It appears that when the aruba controller is actively changing the role all access is removed momentarly, and when that happens at the right time we get the login errors...

If you wait at least 15 seconds between logins this seems to be a non issue. I know it does not sound like a problem, but every once in a while a log off may take a couple of extra seconds (open apps, etc...).

If we have the computers set to ONLY "user authentication" things do not work this nicely... As windows will always attempt to complete a PEAP request even if you are USER only and SSO enabled.  And will simply send the host as the user to the NPS server.  So if you do not have machine authentication on your NPS, authentication fails and windows enables the default block timer of 20 minutes, and will ignore any PEAP authentication requests from the controller....

---

@danstl wrote:

We have gotten everything working if we use "user or machine" authentication.  We setup a role for machine auth that gives "SOME" access to the network, nothing critical, but the ability to get AV updates, windows updates, and see the AD server, dhcpd, DNS.

 

We have SSO turned on, and when a user logs in, it will switch the role to the correct user role, and give them the correct access.

 

What we have found in testing is sometimes it takes longer for the computer to switch back to the correct role (this is not instant).  So  we have seen a situation where a student logs off, and another student sits down (while the machine is loggin off) and then immediatly logs in, if the student has not logged into this machine before, this may fail.  It appears that when the aruba controller is actively changing the role all access is removed momentarly, and when that happens at the right time we get the login errors...

 

If you wait at least 15 seconds between logins this seems to be a non issue. I know it does not sound like a problem, but every once in a while a log off may take a couple of extra seconds (open apps, etc...).

 

If we have the computers set to ONLY "user authentication" things do not work this nicely... As windows will always attempt to complete a PEAP request even if you are USER only and SSO enabled.  And will simply send the host as the user to the NPS server.  So if you do not have machine authentication on your NPS, authentication fails and windows enables the default block timer of 20 minutes, and will ignore any PEAP authentication requests from the controller....

---

The advice is to give your computer role "allowall" access, because it usually represents a device that is at the ctrl-alt-delete screen.

We don't want any background processes like authentication/authorization to fail, which would prevent a user not previously logged on to get on.  I am not sure what that SSO button does, anyway....

---

@cjoseph wrote:

---

@danstl wrote:

We have gotten everything working if we use "user or machine" authentication.  We setup a role for machine auth that gives "SOME" access to the network, nothing critical, but the ability to get AV updates, windows updates, and see the AD server, dhcpd, DNS.

 

We have SSO turned on, and when a user logs in, it will switch the role to the correct user role, and give them the correct access.

 

What we have found in testing is sometimes it takes longer for the computer to switch back to the correct role (this is not instant).  So  we have seen a situation where a student logs off, and another student sits down (while the machine is loggin off) and then immediatly logs in, if the student has not logged into this machine before, this may fail.  It appears that when the aruba controller is actively changing the role all access is removed momentarly, and when that happens at the right time we get the login errors...

 

If you wait at least 15 seconds between logins this seems to be a non issue. I know it does not sound like a problem, but every once in a while a log off may take a couple of extra seconds (open apps, etc...).

 

If we have the computers set to ONLY "user authentication" things do not work this nicely... As windows will always attempt to complete a PEAP request even if you are USER only and SSO enabled.  And will simply send the host as the user to the NPS server.  So if you do not have machine authentication on your NPS, authentication fails and windows enables the default block timer of 20 minutes, and will ignore any PEAP authentication requests from the controller....

---

The advice is to give your computer role "allowall" access, because it usually represents a device that is at the ctrl-alt-delete screen.

 

We don't want any background processes like authentication/authorization to fail, which would prevent a user not previously logged on to get on.  I am not sure what that SSO button does, anyway....

 

---

I would agree with this except that a local user loggin into the computer will (in my testing) end up getting the allow all rule... as opposed to the more restrictive role.  We have also seen that if a user creates a new wifi connection to the system and specifies computer only - they then have full access to the network.  And we can not keep users from being able to create wifi connections, otherwise they would not be able to connect to any non-specified networks.  We would like things to be restrictive as possible unless we know who is actually on the machine.  

That being said - as I have stated doing machine/user auth solves the issue with the windows SSO mechinism.

Computer access with allow all is like giving everyone a master key to your building, and then "collecting" the key once they enter the building and giving them an individual room key...

Danstl,

Thank you for the information.  That is an interesting alternate look at how others are handling security in their environment.

I hope others can use your information and learn from it.

We are working on this for a few of our laptop lab environments as well. We do have the requirement to allow users to log in against AD for the first time.  Machine auth is currently out as we've offloaded EAP from NPS to the controllers and my understanding is that this will not allow for machine based auth. 

I've got it working most of the time, with the exception of the occasional login attempt failure due to no available DCs (normally right after boot), but a subsequent login attempt works just fine.  I'm just bothered that it claims not to connect to the SSID but does seconds later.  Is anyone else seeing this behavior?

I have also tried enabling the local security/gp: "Always wait for the network at computer startup and logon" which seems to not make much sense.

Admittedly, I've found there are some known issues with this approach on Win 7 - I am curious if there are other things we've missed and/or solutions others have found to the issues below:

-Immediately after Ctrl-alt-Del, you'll get prompted to select "Other user", which is a seemingly unnecesary step.

-There will be implications to Computer Level GPOs being applied.  If the machine isn't connect to the network on boot, it may take some time and reboots to recieve the GPO and subsequently apply computer level settings.

-Occasional reported 'miss'/no DC error connecteting to wireless on first attempt

On the other hand:

-As pointed out, the only people getting onto the network and assigned a role are authenticated users.

-You don't have clients that have been powered on but not in use connected to your network and/or using spectrum.

This is one of the better written articles I've found:

http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

I am curious to hear about the experiences of others taking the 802.1x with NPS and windows 7 single sign on approach.

---

@kjspgd wrote:

We are working on this for a few of our laptop lab environments as well. We do have the requirement to allow users to log in against AD for the first time.  Machine auth is currently out as we've offloaded EAP from NPS to the controllers and my understanding is that this will not allow for machine based auth. 

 

I've got it working most of the time, with the exception of the occasional login attempt failure due to no available DCs (normally right after boot), but a subsequent login attempt works just fine.  I'm just bothered that it claims not to connect to the SSID but does seconds later.  Is anyone else seeing this behavior?

 

I have also tried enabling the local security/gp: "Always wait for the network at computer startup and logon" which seems to not make much sense.

 

Admittedly, I've found there are some known issues with this approach on Win 7 - I am curious if there are other things we've missed and/or solutions others have found to the issues below:

-Immediately after Ctrl-alt-Del, you'll get prompted to select "Other user", which is a seemingly unnecesary step.

-There will be implications to Computer Level GPOs being applied.  If the machine isn't connect to the network on boot, it may take some time and reboots to recieve the GPO and subsequently apply computer level settings.

-Occasional reported 'miss'/no DC error connecteting to wireless on first attempt

 

On the other hand:

-As pointed out, the only people getting onto the network and assigned a role are authenticated users.

-You don't have clients that have been powered on but not in use connected to your network and/or using spectrum.

 

This is one of the better written articles I've found:

http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

 

 

I am curious to hear about the experiences of others taking the 802.1x with NPS and windows 7 single sign on approach.

 

 

 

---

kjspgd,

Is there a specific reason why you have EAP offloaded from NPS?

Not particularly, other than to leverage the Aruba hardware capability, rather than make our NPS servers work harder than neccesary.

At the initial onset of our Aruba deployment, machine auth was not a requirement, nor present in our previous wireless implementation. 

I have looked into what it would take to remove the offloading... which isn't much aside from some certificate movement.  I'd like to see the SSO option teased out before moving to machine based auth... unless there are highly compelling things

with machine auth that I am missing. 

Is EAP offloading a generally discouraged thing?

---

@kjspgd wrote:

Not particularly, other than to leverage the Aruba hardware capability, rather than make our NPS servers work harder than neccesary.

 

At the initial onset of our Aruba deployment, machine auth was not a requirement, nor present in our previous wireless implementation. 

 

I have looked into what it would take to remove the offloading... which isn't much aside from some certificate movement.  I'd like to see the SSO option teased out before moving to machine based auth... unless there are highly compelling things

with machine auth that I am missing. 

 

Is EAP offloading a generally discouraged thing?

 

---

EAP offloading is not discouraged, but the limitations when pointing it at an NPS or IAS server are as you mentioned above.  All other Radius servers do not seem to have those limitations.  If you are using NPS or IAS, I would suggest that you just generate a server certificate and turn it off so that you can leverage those features.  Seamless authentication works just fine it quite a few environments that way.