Security

Hello,

I am working on wireless EAP-TEAP with EAP-TLS for clients and (for now) MSCHAPV2 for users. The desired end result includes wireless clients being able to connect before users sign-on to ensure AD is available for new user logons. This is working well. My problem arrives when a user signs in to windows while the machine authenticated to the network, I noticed the session is hanging onto the client auth in the mobility controller. To fix this, I included a port bounce within the user logon enforcement profile, which is successful. My concern now is that everytime there is a reauth, the user will be bounced again creating instability. Is there a better way to port bounce is this scenario? Or is ther a solution I am not thinking of with cached auth in ClearPass maybe or auth timeouts.... 

Below are the Enforcment scenarios for user & client and just client respectively:

FW-Groups_Class = Accounting data sent to firewall to build user group based policy.

Thanks in advance for any assistance.

Hello,

I am working on wireless EAP-TEAP with EAP-TLS for clients and (for now) MSCHAPV2 for users. The desired end result includes wireless clients being able to connect before users sign-on to ensure AD is available for new user logons. This is working well. My problem arrives when a user signs in to windows while the machine authenticated to the network, I noticed the session is hanging onto the client auth in the mobility controller. To fix this, I included a port bounce within the user logon enforcement profile, which is successful. My concern now is that everytime there is a reauth, the user will be bounced again creating instability. Is there a better way to port bounce is this scenario? Or is ther a solution I am not thinking of with cached auth in ClearPass maybe or auth timeouts.... 

Below are the Enforcment scenarios for user & client and just client respectively:

FW-Groups_Class = Accounting data sent to firewall to build user group based policy.

Thanks in advance for any assistance.

You've been following the TEAP tech note? And what do you mean by "hanging onto the client auth"?

Hello,

I am working on wireless EAP-TEAP with EAP-TLS for clients and (for now) MSCHAPV2 for users. The desired end result includes wireless clients being able to connect before users sign-on to ensure AD is available for new user logons. This is working well. My problem arrives when a user signs in to windows while the machine authenticated to the network, I noticed the session is hanging onto the client auth in the mobility controller. To fix this, I included a port bounce within the user logon enforcement profile, which is successful. My concern now is that everytime there is a reauth, the user will be bounced again creating instability. Is there a better way to port bounce is this scenario? Or is ther a solution I am not thinking of with cached auth in ClearPass maybe or auth timeouts.... 

Below are the Enforcment scenarios for user & client and just client respectively:

FW-Groups_Class = Accounting data sent to firewall to build user group based policy.

Thanks in advance for any assistance.

This is wireless.

By "hanging onto the client auth in the mobility controller", I mean that the user authentication is recieved by the controller but the wireless session is already associated to the machine auth. So after logging a user into the client that has already authenticated to the network using a cert, the user auth does not replace it so the role reamins for the machine only. As I mentioned, the port bounce solves this, but creates the other stability concern upon user reauth attempts.

I actually just noticed the TEAP tech note from another posting here today so it is on the short list of things to review. Does it mention this scenario?

You've been following the TEAP tech note? And what do you mean by "hanging onto the client auth"?

Hello,

I am working on wireless EAP-TEAP with EAP-TLS for clients and (for now) MSCHAPV2 for users. The desired end result includes wireless clients being able to connect before users sign-on to ensure AD is available for new user logons. This is working well. My problem arrives when a user signs in to windows while the machine authenticated to the network, I noticed the session is hanging onto the client auth in the mobility controller. To fix this, I included a port bounce within the user logon enforcement profile, which is successful. My concern now is that everytime there is a reauth, the user will be bounced again creating instability. Is there a better way to port bounce is this scenario? Or is ther a solution I am not thinking of with cached auth in ClearPass maybe or auth timeouts.... 

Below are the Enforcment scenarios for user & client and just client respectively:

FW-Groups_Class = Accounting data sent to firewall to build user group based policy.

Thanks in advance for any assistance.