Wireless Access

Reply
Highlighted
Contributor I

Windows 7/10 AD Joined issues

Ever since migrating to 8.x code from 6.x we received a handful of reports with issues with our AD Managed wireless laptops.

 

One of the issues we are seeing is when a user with cached credentials logs into a wireless machine, they see the message "Unable to Connect to Network, logging on".  Our AD machines are configured to machine auth using the AD Computer object.  I confirmed that when the machine is that the control-alt-delete screen, they have a valid role and IP address. I started a ping to the machines IP from my desktop and proceeded to login with my AD credentials.  After doing so, the machine drops a few pings, displays the "unable to connect message" and continues to login with cached credentials, then the machine starts pinging again.

 

Also once a user is logged into the machine, they get the message they were logged on using previously stored credentials and their mapped drives have red Xs.  However, you can just click on them and they connect.

 

If a user without cached credentials trys to login they get the "no logon sevrers" message, even though the machine is machine authed with valid IP and role.

 

I have compared all of the settings for this VAP and AAA profile between the old and new controller environment and they are identical.  I also opened a TAC case but they were unable to find any issues with the config.  If I bring up an AP on our old controllers the issue goes away when connected to that AP.

 

We use NPS for our AD joined machines and are running 8.4.0.1 with 7240XMs for the MDs.

 

Anyone else seen this issue?

 

 

-

 

Phillip Kluttz
Network Engineer University of North Carolina at Greensboro
Highlighted
Guru Elite

Re: Windows 7/10 AD Joined issues

Are you doing machine authentication?  Are you changing roles or VLANs depending on user or machine authentication?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Windows 7/10 AD Joined issues

cjoseph,

 

Yes we are doing machine auth and no the roles are the same between the machine auth and user auth.

Phillip Kluttz
Network Engineer University of North Carolina at Greensboro
Highlighted
Guru Elite

Re: Windows 7/10 AD Joined issues

What about the VLANS?  Can you ping a user's device before the user logs into the ctrl-alt-delete screen?

 

Try "show ap client trail-info <mac address of client>" to see if the VLAN is changing.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Windows 7/10 AD Joined issues

Yes I can ping the device before the user logs in and the VLAN stays the same after they log in, it just drops a few pings after they click sign in.  When it drops pings it appears to dissassociate and reassociate.  As soon as I see it stop pinging the "Unable to connect to Network, logging on" message appears.

 

If there are cached credentials it will continue.  If not, it won't let the user log in. 

Phillip Kluttz
Network Engineer University of North Carolina at Greensboro
Highlighted
Guru Elite

Re: Windows 7/10 AD Joined issues

What are the ACLS on the machine authenticated role?  (show rights <role>).


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Windows 7/10 AD Joined issues

 

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'FacStaff-NAP'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 512
Assigned VLAN = gcn_pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 111/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-facstaff-nap-sacl session
3 allowdhcp-denydhcpserver session
4 deny-controller session
5 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-facstaff-nap-sacl
-----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
allowdhcp-denydhcpserver
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
deny-controller
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any public-controller-ip any deny Low 4
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

 

 

-

 

Phillip Kluttz
Network Engineer University of North Carolina at Greensboro
Highlighted
Guru Elite

Re: Windows 7/10 AD Joined issues

We would then move to look at the AAA and the 802.1x profiles to see if there is anything non-default.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Guru Elite

Re: Windows 7/10 AD Joined issues

Assigned VLAN = gcn_pool

 

 

Wait.  I would remove the VLAN pool from the user role.  You should assign the Vlan Pool to the Virtual AP.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Windows 7/10 AD Joined issues

AAA Profile "UNCG-GCN-FacStaff"
-------------------------------
Parameter Value
--------- -----
Initial role DropALL
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile UNCG-GCN-FacStaff
802.1X Authentication Default Role DropALL
802.1X Authentication Server Group nps
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group nps
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
RADIUS Acct-Session-Id In Access-Request Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Disabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
Apply ageout mechanism on bridge mode wireless clients Disabled

 

802.1X Authentication Profile "UNCG-GCN-FacStaff"
-------------------------------------------------
Parameter Value
--------- -----
Max authentication failures 0
Enforce Machine Authentication Disabled
Machine Authentication: Default Machine Role guest
Machine Authentication Cache Timeout 24 hr(s)
Blacklist on Machine Authentication Failure Disabled
Machine Authentication: Default User Role FacStaff-NONAP
Interval between Identity Requests 5 sec
Quiet Period after Failed Authentication 30 sec
Reauthentication Interval 3600 sec
Use Server provided Reauthentication Interval Disabled
Use the termination-action attribute from the Server Disabled
Multicast Key Rotation Time Interval 1800 sec
Unicast Key Rotation Time Interval 900 sec
Authentication Server Retry Interval 5 sec
Authentication Server Retry Count 3
Framed MTU 1100 bytes
Max number of requests sent during an Auth attempt 5
Max Number of Reauthentication Attempts 3
Maximum number of times Held State can be bypassed 0
Dynamic WEP Key Message Retry Count 1
Dynamic WEP Key Size 128 bits
Interval between WPA/WPA2/WPA3 Key Messages 1500 msec
Delay between EAP-Success and WPA2/WPA3 Unicast Key Exchange 170 msec
Delay between WPA/WPA2/WPA3 Unicast Key and Group Key Exchange 0 msec
Time interval after which the PMKSA will be deleted 8 hr(s)
Delete Keycache upon user deletion Disabled
WPA/WPA2/WPA3 Key Message Retry Count 1
Multicast Key Rotation Disabled
Unicast Key Rotation Disabled
Reauthentication Enabled
Opportunistic Key Caching Enabled
Validate PMKID Disabled
Use Session Key Disabled
Use Static Key Disabled
xSec MTU 1300 bytes
Termination Disabled
Termination EAP-Type N/A
Termination Inner EAP-Type N/A
Enforce Suite-B 128 bit or more security level Authentication Disabled
Enforce Suite-B 192 bit security level Authentication Disabled
Token Caching Disabled
Token Caching Period 24 hr(s)
CA-Certificate N/A
Server-Certificate default
TLS Guest Access Disabled
TLS Guest Role guest
Ignore EAPOL-START after authentication Disabled
Handle EAPOL-Logoff Disabled
Ignore EAP ID during negotiation. Disabled
WPA-Fast-Handover Disabled
Check certificate common name against AAA server Enabled

 

 

-

 

Phillip Kluttz
Network Engineer University of North Carolina at Greensboro
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: