Security

Hello,

 

Please could I have assistance with an authentication issue we are experiencing.

 

Since replacing our staff laptops we are frequenctly having 802.1X problems. I'm not sure where the problem lies at the moment but the laptops in question use the Intel Centrino Advanced-N 6235 wireless chipset, and 15.6.1 driver.

 

The main issue appears to when laptops resume from sleep/hibernating don't always machine authenticate. So they are connected to our wireless, but are put our deny_all role. I can see they have user authenticated, but the lack of machine authentication seems to be the problem.

 

Our wireless settings are set by Group Policy, and the laptops are all Windows 7 x64.

 

 

I'm following this up with Samsung and our wireless installer but  was hoping by making this post it might highlight some areas to invesitgate we hadn't thought of. I'm not very familar with the advanced 802.1x settings for example in the GPO.

 

 

Thanks in advance

When systems resume from sleep; they do not attempt machine authentication; only user authentication.  This is by design on Windows.    In your dot1X profile, what is the machine cache timeout set at?   This can be found on the Advanced tab of the 802.1X Authentication Profile; "Machine Authentication Cache Timeout".    This dictates how long the MAC address is cached in the internal dtabase upon successful machine authentication.  If set too low, you'll likely see improper role assignment due to the machine not authenticating.   

 

Because these are new laptops, I would also make sure that they are doing both user and machine authentication as well (whether by GPO or manual settings). 

 

 

As a test, on these same systems, if you restart them, do they get placed in the proper roles?    If they do, then your cache timeout is likely the issue.  If they do not, the system is likely not set to use both machine and user authentication.

Hi Clembo, thanks for the quick reply.

 

The cache timeout is currently 48hrs, so I'll look at increasing that value further. It's certainly a problem that happens more after the weekend.

 

The GPO is configured for both user and machine authentication (screenshot attached). We've never had any problems after restarting one of these laptops.

The your issue is likely the cache timeout set t 48 hours; especially if they are put to sleep/hibernate over a weekend.   Increase this to a value that is more suitable to your user's reboot/logoff habits.

Hi,

 

Increasing the cache timeout has definately helped the issue, but not completely.

 

Does this cache get refreshed or will this timeout require machine authentication again after this duration has passed? Reason I ask is I have a laptop I use prodominately in one location and don't regularly reboot or log off. I still experience the problem of being put in the 'deny_all' group occationally and seemly only a reboot of the laptop will get me back on the wireless.

 

Any tips?

 

Thanks

It will only get refreshed after another machine authentication (resets the expiration timer).  You can statically add the MAC to the internal database as an alternative; making it appear to have passed machine authentication.  Useful for non-domain machines or a situation like you have where the system doesn't reboot often.   You could also just schedule a Windows task to restart the system periodically.

I'm not sure users would appreicate a scheduled restart :)

 

Thanks for clarifying, looks like I either need a -very- long cache timeout, or to add the MAC addresses.

 

EDIT

Under which section so I add the MAC addresses?

Just add it to the Internal DB of the controller:   Configuration --> Authentication --> Servers --> Internal 

 

You'll see all the other MACs in there; just make a new entry for the static one.

Reading around it looks like any kind of bulk importing of MAC addresses is out of the question?

 

I went to add one MAC address, looking at the existing entries it look I put the MAC address in the username field, but what would the password be, or is it not used?

Password would be the MAC as well.

Hi,

If you only run OnGuard in client mode (when the user is logged on) once they logout and the cache expires, their posture assessment will be "Unknown". 

Unless the OnGuard agent runs as a service when the user's not logged on, and as a client when the user is logged on (because it gathers data about the logged in user), you are at the mercy of DHCP.

Most defaults for DHCP on Active Directory, for example, have leases of like 8 days. So if your PC's cache expires, the "Unknown" posture device will change to a different VLAN (if that's how you deal with unknown devices). The problem is it still has the DHCP lease from the previous posture assessment and will stay there until the lease expires.

Running OnGuard as a service should allow the service to perform Agent Port Bounce which is like unplugging and re-plugging the device, so a new lease is obtained from the current (new) VLAN.

Does this look like your issue? (or is it just my issue! :D )

Regards,

-Ambi

P.S. Keep in mind, leaving a device with a 48 hour cache may not be a good idea. That means a device that somehow gets malware activated over the weekend could run wild on your network. We use 2 hours, but even that is more than most customers use.

------------------------------
Ambidexter
------------------------------

Original Message:
Sent: Jun 17, 2013 08:19 AM
From: James Witherow
Subject: Machine Authentication after resuming from Sleep/Hibernation

Hi,

 

Increasing the cache timeout has definately helped the issue, but not completely.

 

Does this cache get refreshed or will this timeout require machine authentication again after this duration has passed? Reason I ask is I have a laptop I use prodominately in one location and don't regularly reboot or log off. I still experience the problem of being put in the 'deny_all' group occationally and seemly only a reboot of the laptop will get me back on the wireless.

 

Any tips?

 

Thanks

You may consider doing EAP-TEAP. As per the explanation, even after you login , the machine can still do machine authentication.
Original Message:
Sent: May 20, 2013 06:18 AM
From: James Witherow
Subject: Machine Authentication after resuming from Sleep/Hibernation

Hello,

 

Please could I have assistance with an authentication issue we are experiencing.

 

Since replacing our staff laptops we are frequenctly having 802.1X problems. I'm not sure where the problem lies at the moment but the laptops in question use the Intel Centrino Advanced-N 6235 wireless chipset, and 15.6.1 driver.

 

The main issue appears to when laptops resume from sleep/hibernating don't always machine authenticate. So they are connected to our wireless, but are put our deny_all role. I can see they have user authenticated, but the lack of machine authentication seems to be the problem.

 

Our wireless settings are set by Group Policy, and the laptops are all Windows 7 x64.

 

 

I'm following this up with Samsung and our wireless installer but  was hoping by making this post it might highlight some areas to invesitgate we hadn't thought of. I'm not very familar with the advanced 802.1x settings for example in the GPO.

 

 

Thanks in advance