Wireless Access

Frequent Contributor II

802.1x machine cache

Hi guys


I have been doing 802.1x with both machine and user authentication for a while.

Usually we push an internal certificate to domains computers along with SSID setup, this works quite well.

One problem i see on a regular basis is that idle computers or computers that has been hibernated loose their machine authentication.

This is resolved by logging of the user and back on again or a reboot.


Is there a way to keep the machine in the cache? I know there is a user idle timeout on each AAA profile, but i'm not sure if this can achieve what i'm looking for. When a user is idle past this timer, it will we removed anyway.


Can this problem be solved by using ClearPass as a authentication proxy towards a domain controller and add a MAC cache to prevent the machines from being removed from the cache?



Guru Elite

Re: 802.1x machine cache

Are you using "Enforce Machine Authentication"?  If you are, there is a machine authentication cache timeout parameter that controls this:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm  By default it is 24 hours.


You can also permanently enter a device into the local database with no expiry and it will never timeout.  Look at the internal database to see the format of machine authenticated devices.


Again, this is only for if you already have Enforce Machine Authentication configured...

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: 802.1x machine cache

Yes, you would use ClearPass to set an attribute as a fallback for machine authentication. You can also increase the machine authentication cache time inside of ClearPass.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: 802.1x machine cache



yeah, i'm using Enforce Machine Authentication and i believe i have tried the timer, but to be sure i will log on a computer in my lab, which is 802.1x and adjust the timer to 48 hours.

In theory it shall still be in full 802.1x tomorrow when i return to work, have in mind that this computer has been idle over the night.


Adding a computer to the internal database is not an option, as there is too many to handle.

The customer do have ClearPass, but at the moment auth is not handled by CP, but i will look into this with a colleague of mine.



Search Airheads
Showing results for 
Search instead for 
Did you mean: