Security

Hi Everyone..

I am trying to be able to have a domain based laptop authenticate a user that has never logged into the laptop before.  The Windows laptop is in the domain, i have checked the box to enforce machine authentication, but in the logs on the controller I am seeing the MAC address of the machine trying to log into the controller locally.

If I test with an account that has logged into the laptop prior, I am able to associate to the SSID without issue using RADIUS.  I am not having a problem with that.

I need to be able to get the machine (the laptop) to associate to the SSID prior to any user logon so as I can then get the user that has never logged in prior to authenticate properly!  I have played with the profiles, but either I am missing something or need to change the profile becasue I can't seem to find the way to "tell" the incoming machine association to use RADIUS.

What have I missed?

Do you have a policy on your RADIUS server allowing Domain Computers to authenticate?

I have the default RADIUS piece, but have read what you are talking about.  So, in other words, if I am reading into what you are saying: If I dont have the policy setup on the NPS server it will default to local on the controller?  I guess where I am going with this, is shouldnt I see teh machine failing against radius first on NPS and on the controller?

The only error i am seeing is on the controller where is is basically saying <ERRS> |localdb|  User a0:88:xx:xx:xx:48 Failed Authentication..

I will go to NPS now and add the policy..

Sounds like you have the Internaldb set as your server-group.

Well, maybe looking at the wrong spot on the GUI, but the profile (which includes the user autehntication) has the policy to go to radius.  In the profiles to use a machine, where and which attribute needs changed?  

Basically, I have a profile built that is using radius for the user, I have checked the box to enforce machine authentication, is this not all of it?

Can you post your AAA profile?

Also, here's an explanation of how the local-userdb is involved in machine authentication.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440

Here is the profile I have (again the user side is working great) - but that user has had to have logged in wired first...

aaa profile "hir-adauth-profile"
   mac-default-role "authenticated"
   mac-server-group "hir-adauth-802.1x-server-group"
   authentication-dot1x "hir-adauth-802.1x-profile"
   dot1x-default-role "authenticated"
   dot1x-server-group "hir-adauth-802.1x-server-group"

OK. Once you allow "Domain Computers" on your RADIUS server, this should start working correctly.

Ok - so got an error at least on the radius server, now have to dig to undersatnd why.  The PC i am using is in the domain, but the error I am seeing is:

Authentication was not successful because an unknown user name or incorrect password was used.  

Do you have termination done at the controller or your radius server?

If you are asking if the termination check box is checked, then yes and I can authenticate my user account, but the computer account is being denied by NPS.  I have found numerous google kungfoo on this and tried everything for hours. 

Again, user = ok ; computer account making it to NPS server, but being denied.  I have hadded doma\domain computers to the policy...

You cannot use Machine Authentication with EAP termination. You need to terminate EAP sessions on your RADIUS server.

Tim, So now a bit confused with the last statement.  With the termination box checked, does that forward the incoming authentication to the NPS box?  Also, if I can't do this, then how do I have USER auth and MACHINE auth in differnte profiles??

I thought that the machine account would get forwarded from the controller, just as the user, to the NPS box.  However, teh controller will "cache" the machine account for auth purposes and then cache it out..

If you want to use machine authentication, you'll need to disable termination on the controller.

Do you have an Aruba partner? There are some things you need to consider when switching to RADIUS server termination. 

I got it - unchecked the termination box and then fixed NPS for auth method.  Thanks for your help!

Hi Cappalli,

If we use EAP-TLS with Radius authentication returning VLAN, may we disable the "machine-authentication"?

The Aruba partner did this configuration since the initial instalation but I think we don't need this.

Thank you.

zemarcio

You can configure 802.1x for both user and machine authentication . This hightens the authentication process further, since both the device and user need to be authenticated. Do you require machine authentication in your enviroment? Essentially a particular role can be assigned based on whether the machine passes authentication. However is there is a server-derived role, the server-derived role takes precedence.