Wireless Access

We just completed phase 1 on an Aruba Instant install for a school district at three different schools. We are enforcing machine authentication, but having issues with machines taking a long time to login to Windows. We currently have two roles under the "enforce machine authentication" - a "mach_rest" and "user_rest" role. The idea being if a client machine Auths, OR user auths only they would get the appropriate role. A client that machines AND user auths gets the full unrestricted role for that SSID. The problem we are having is the clients re getting stuck in the "mach_rest". Sometimes they authenticate fully, but it takes a long time. The only solution is to open the firewall rules on the "mach_rest" role and then clients authenticate quickly with no issues. At this point we have "allow all" to the domain controllers on the "mach_rest" role, but that is not a good solution. I would like to lock it down at least to specific ports, but the research we've done opening the ports used for Windows authentication still don't work very well. I've never really experienced this on the controllers this seems to be something with Instant. So, help I guess! :-)

Opening the Mach_rest role completely is a good practice.  It the best analogy for it is a wired laptop plugged in at the ctrl-alt-delete screen.  There are plenty of things that happen in the background that you do not want to block, but the user is not allowed to interact with the network, so it is secure from that perspective.

I considered this, but my concern was what is it possible that a malicous code could be running in the bakcground - say if a  users machine got infected, it somehow compromised?

 

 

It seems to me that there are still opportunities for this to be exploited. If there's a local account, or if the user interupts the boot up and boots to the command prompt with network access.

Yes.  Same rules like if the device was physically plugged in, but with mobility, and encryption.