Security

Hello,

What is the easiest way to block machine name auth requests to a Radius server but not blocking a domain userid on the same machine authenticating? I have noticed through captures that a lot of machines are trying to authenticate:

/snip

Aug 20 12:52:10  authmgr[1532]: <132207> <ERRS> |authmgr|  RADIUS reject for station host/MACHINE712849.intl.domainname.com 08:11:96:d7:3d:6c from server RADIUS1.
Aug 20 12:52:22  authmgr[1532]: <132207> <ERRS> |authmgr|  RADIUS reject for station host/MACHINE715323.intl.domainname.com 60:67:20:96:f0:62 from server RADIUS1.
Aug 20 12:53:04  authmgr[1532]: <132207> <ERRS> |authmgr|  RADIUS reject for station host/MACHINE710161.intl.domainname.com 58:94:6b:35:59:2c from server RADIUS1.

/snip

I was to understand that through GP that "use machine name" had been disabled, but clearly it has not. I am trying to root this out of a wider radius timeout issue I am seeing to two servers that domain users of the above machines would use to connect.

I was looking at server rules within the 802.1x auth server group but was concerned that blocking/dropping an auth request woudl be associated with the MAC address and would therefore also block a domain user on the machine.

In short - is it possible to have the controller drop a radius request when the machine is trying to authenticate (which will never work) as opposed to a domain username, even on the same machine.

Thanks.

Is there a reason why you don't want to not allow this?   You say in your post that it "will never work".  Most my customer deployments have this enabled to allow the user to login and retrieve their GPOs and logon scripts at logon.   My point is, it will work if Radius is setup for it.  If you want to try it; let us know what your Radius solution is).

In short, you should be able to combat this through GPO with setting User Authentication as the authentication mode (rather than "user or computer" or "computer authentication".  If that is not working, there is no clean way of just dropping the host/MACHINExxxx requests at the controller.    

Hi, thanks for the reply.

In GP it is enabled and not user editable. I found this out today. Radius is set up for domain user credentials same as domain logon. The reason why I wanted to stop it was to see if it was having any bearing on another issue I am seeing with Radius server resets related to this thread:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Source-of-RADIUS-timeouts/td-p/48530

Now that I am seeing the same issues across the APAC region, stopping these computer names from being used is perhaps a non-issue. Unfortunately the Radius deployment is managed by a third party and I do not have any access.

Unfortunately, unless you have access to the radius server, you have little visibility about what is really going on.  The main configuration for WLAN is done one the client and the radius server and the controller sits in between, passing messages back and forth.  It is important to involve the third party who manages your radius servers in your troubleshooting to fully understand what is going on.

I see you have another post about radius failures, as well.  You will need to involve the third party who manages your radius servers to even hope to get that resolved.

Well I am hoping the TAC can confirm the other issue is MTU related. Thanks.

it is going to be tough to impossible without the help of the radius server team.  Please get them involved, because they are big part of the issue.