Security

Okay here is the scenario

Let say we want that an specific machine does  to no log again to the wireless network...

1-I got my machine on the radius_machine_auth group on AD and i delete it from that group

2-I go to the Wireless controller to the user-Database and i delete that mac address entry

I test

1-I disconnect from the wireless network i can still connect if i reconnet

2-I turn off the wireless card turn it on and i still can reconncet

3-i reboot the machine and i still can reconnect..

4-I delete the entry from valid users

The only way i can find to totally kick this machine is by rebooting the wireless controlller

Is this si the way that should work?

besides the enforce mahcine im using EAP TLS and derived roles

You should use" aaa user delete" to remove that user from the user table, after you remove his mac address from the local database.

Hello Collin

Thanks for answering my tread!

I tried this

(WC_Lab) #aaa user delete mac ac:81:12:a3:c0:e7
0 users deleted
then

(WC_Lab) #aaa user delete ap-name Server_Room_2 all
0 users deleted from AP Server_Room_2

I tried this after disconnectng my computer from the wireless network.. im connecting to another wireless network we got here which got access to the controller....

After deleting my PC from the AD group which got the permission to get in the wirless network

After deleting the Mac address on the userdatabase

After issuing the commmand you said

After rebooting my pc

I still can connect.... :(

Right now im writing this message trhought the  wireless network it supposed i should not have access because my comptuer is not in the AD group which is allowed to get in...

Hold on.

Machine authentication is what a Windows machine does at the ctrl-alt-delete prompt.  It is useful, because it gives it an ip address so that it can get on the network and be managed BEFORE a user is logged in.  When the user logs in, the context changes from machine to user, and the machine's credentials are NEVER used again, unless the computer ends up at the ctrl, alt, delete screen.

Only a single authentication happens at a time, either machine OR user.  The only time machine authentication takes places is at the ctrl-alt-delete screen, so if the machine is not in the group that is allowed, it just simply won't get an ip address at that screen.  If a user logs in after, the user will still be able to get an ip address, because the context has been shifted to user authentication.

Yeah i read abotu that on previews treads in which you explain that.   I tried serachin gin the forum before posting...

Im logging off

Logging on

Rebooting the pc

And i still can get in....

I should not get an ip for what i understand if i log off or reboot my computer... Correct me if im wrong please

- a machine can only do machine authentication at the ctrl-alt-delete screen

- if a USER logs in, the device is treated as a user authentication and NOT a machine authentication, and is allowed to logon.

Sorry for being soo slow Collin but i dont get it...

In your explanation,that would explain if i didnt restart or log off the computer but im restarting the computer so my computer is machine authenticating... as everytime i restart the pc im on the alt ctrl del screen... so if i reboot my computer i should machine authenticate... and it should not let me in but its letting me in...

The only work around that i found its rebooting the controller... when i reboot the controller it wont let my pc get in as it does a machine authentcation and it see that my machine is not in the AD group.

Well Collin i don t want to bother you too much  with this ill open a support case for this...

Ill first try moving all the configuration to an Aruba controller and test.... I got it on an alcatel Wireless controller we got for lab also... we got like 4 WCs for labbing hehe....

I got same issue with the Handoff Assist and the local probe trhehold... no matter what value i put it just doesnt work... for the handoff assist it wont disconnect me and fo rthe local probe it willl let me connect i can put  any value in the RSSI heh and i still connect...

and now that i think it may bea bug of the Alcatel controller, Firmware....nothing related with aruba controller firmware... 

If that doestn work ill open a support case with aruba

Anyways Thanks for your valueable  time!

Let me explain:

Machine authentication occurs when a device on a Windows Domain is at the ctrl-alt-delete screen.   The device sends its hostname as a username and Security identifier as a password.  A device does NOT require machine authentication to get onto the wireless network.  If a user can log into the machine, they can authenticate as a user and bypass this entirely.  A device can fail machine authentication and still be able to get on the network using user authentication.  The radius server has no recollection of whether a devices has failed machine authentication previously.

If you want to stop machines from getting on the network, that is what Aruba's Enforce Machine Authentication is for.

Enforce Machine authentication is an Aruba feature that will place a user into a particular role depending on if:

- Only user authentication has occurred

- Only machine authentication has occurred

- Both user and machine authentication has occured. 

An explanation of how Enforce Machine Authentication works in the Aruba Controller is here:  

How does machine authentication work on the Aruba controller? https://kb.arubanetworks.com/app/answers/detail/a_id/801

Hello Collin

Thank you very much for your explanation im heading to the link you gave to read  :)