Original Message:
Sent: Apr 03, 2024 06:23 PM
From: cochranes
Subject: Wireless EAP-TEAP: Port Bounce Client After User Sign-on
This is wireless.
By "hanging onto the client auth in the mobility controller", I mean that the user authentication is recieved by the controller but the wireless session is already associated to the machine auth. So after logging a user into the client that has already authenticated to the network using a cert, the user auth does not replace it so the role reamins for the machine only. As I mentioned, the port bounce solves this, but creates the other stability concern upon user reauth attempts.
I actually just noticed the TEAP tech note from another posting here today so it is on the short list of things to review. Does it mention this scenario?
Original Message:
Sent: Apr 03, 2024 05:32 PM
From: chulcher
Subject: Wireless EAP-TEAP: Port Bounce Client After User Sign-on
You've been following the TEAP tech note? And what do you mean by "hanging onto the client auth"?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 03, 2024 01:33 PM
From: cochranes
Subject: Wireless EAP-TEAP: Port Bounce Client After User Sign-on
Hello,
I am working on wireless EAP-TEAP with EAP-TLS for clients and (for now) MSCHAPV2 for users. The desired end result includes wireless clients being able to connect before users sign-on to ensure AD is available for new user logons. This is working well. My problem arrives when a user signs in to windows while the machine authenticated to the network, I noticed the session is hanging onto the client auth in the mobility controller. To fix this, I included a port bounce within the user logon enforcement profile, which is successful. My concern now is that everytime there is a reauth, the user will be bounced again creating instability. Is there a better way to port bounce is this scenario? Or is ther a solution I am not thinking of with cached auth in ClearPass maybe or auth timeouts....
Below are the Enforcment scenarios for user & client and just client respectively:
FW-Groups_Class = Accounting data sent to firewall to build user group based policy.
(Tips:Role EQUALS GU-Wifi) | Wifi Profile, FW-Groups_Class_USER, FW-Groups_Return-Username, [Update Endpoint Known], [ArubaOS Wireless - Bounce Switch Port] |
(Authentication:TEAP-Method-1-Status EQUALS_IGNORE_CASE Success) AND (Authorization:Microsoft Intune:Intune Managed Device Owner Type CONTAINS company) | Wifi Profile, FW-Groups_Class_Device, FW-Groups_Return-Hostname, [Update Endpoint Known] |
Thanks in advance for any assistance.