Wireless Access

I have a customer that I setup an SSID that uses 802.1X authentication and I'm enforcing machine authentication. I've deployed several customer networks this way with no issues. With this particular customer, when the wireless device is turned on but a user hasn't logged in yet, the machine authenticates itself and I have the machines drop into a roll called "DomainComputer". When a valid domain user logs into that computer role derivation takes place and the users is assigned the appropriate role. If that same user brings in their own wireless device, that device fails machine authentication as expected but the user logs in and gets placed in the "Guest" role. This all seems to work fine.

After about a week or so the when the same users log into the domain authenticated machines using their same user credentials these devices are being placed in the "Guest" role which blocks access to resources they would normally have access too. If they delete the users local profile on the wireless device so that it gets recreated upon the next loggin, they are once again placed in the correct user role but this only lasts about a week or so and then they go back to being placed in the "Guest" role. So deleting the local user profile on the wireless device corrects the issue but not permanently. I've double checked my Aruba configuration and all looks good to me. I'm leaning towards something that is being changed on the client side but do not know where to look.

Has anyone ever encountered this before? Suggestions?

Thanks,

John 

---

@jzawacki wrote:

I have a customer that I setup an SSID that uses 802.1X authentication and I'm enforcing machine authentication. I've deployed several customer networks this way with no issues. With this particular customer, when the wireless device is turned on but a user hasn't logged in yet, the machine authenticates itself and I have the machines drop into a roll called "DomainComputer". When a valid domain user logs into that computer role derivation takes place and the users is assigned the appropriate role. If that same user brings in their own wireless device, that device fails machine authentication as expected but the user logs in and gets placed in the "Guest" role. This all seems to work fine.

 

After about a week or so the when the same users log into the domain authenticated machines using their same user credentials these devices are being placed in the "Guest" role which blocks access to resources they would normally have access too. If they delete the users local profile on the wireless device so that it gets recreated upon the next loggin, they are once again placed in the correct user role but this only lasts about a week or so and then they go back to being placed in the "Guest" role. So deleting the local user profile on the wireless device corrects the issue but not permanently. I've double checked my Aruba configuration and all looks good to me. I'm leaning towards something that is being changed on the client side but do not know where to look.

 

Has anyone ever encountered this before? Suggestions?

 

Thanks,

 

John 

---

In the 802.1x  authentication profile under advanced, the Machine Authentication Cache Timeout timer controls this.  When a machine authenticates at the ctrl-alt-delete screen, a user is created in the local user database to record that activity.  This user stays in the local database for 24 hours by default.  The problem is, users who do not log out of their computers, never record machine authentication activity, and this user is deleted, so it is assumed that this computer did not machine authenticate.  You can extend the Machine Authentication Cache Timeout timer to account for users who do not log out every day.

I did notice that the Internal DB had alot more entries in it then what we created for guest CP and RAP's. I'm wondering why, if after the user get's deleted after the 24 hour timer expires, the machine doesn't go through the dot1x authentication process again and have the AD verify it is a valid machine? Actually, it seems strange that the Aruba even caches this session in its Internal DB. Why doesn't the machine just reauthenticate using dot1x?

So if I extend the cache timer is there another way to get these machines back into the correct role other than having the users delete their local profiles?

Thanks a bunch!

John

---

@jzawacki wrote:

I did notice that the Internal DB had alot more entries in it then what we created for guest CP and RAP's. I'm wondering why, if after the user get's deleted after the 24 hour timer expires, the machine doesn't go through the dot1x authentication process again and have the AD verify it is a valid machine? Actually, it seems strange that the Aruba even caches this session in its Internal DB. Why doesn't the machine just reauthenticate using dot1x?

 

So if I extend the cache timer is there another way to get these machines back into the correct role other than having the users delete their local profiles?

 

Thanks a bunch!

 

John

---

Machine authentication ONLY occurs at the ctrl-alt-delete screen.  This is controlled by the machine, and not the Aruba controller.  You can configure group policy that it will ONLY authenticate the machine via machine credentials on wireless, but that might not meet your needs.

You can extend the cach timer to solve your issue, or you can have the user logout and then log back in whenever they have the issue.

i have the same probleme,

user authenticated gets machine auth role or machine auth role and no more .

rchahbourne,

Please open a TAC case so that they can go over the details of your setup.  There is probably something that you are doing specifically that is preventing this from working.