RE: Enforcing and Ensuring Machine Auth 802.1x
ACS- has been rock solid (we use it in a fairly simple way) with excellent logs. Tried IAS briefly a few years back, worked, but didn't feel the love with logging details. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M [neil-john...@uiowa.edu] Sent: Thursday, May 21, 2009 6:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x What are you using for your RADIUS server ? -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a “Hot” one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don’t do it on any predicable scale. So….. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Enforcing and Ensuring Machine Auth 802.1x
At Emory, we use Machine Auth in our Healthcare organization to authenticate wireless carts in the hospitals. The carts only do machine auth for connectivity; users don't log in to the network - they must use a Citrix session for any work, It's my understanding that Machine Auth is strictly a Windows thing; it's not supported in Mac or Linux. It works is by using the computer name and SID to authenticate instead of a username/PW. If the computer loses its security association with the AD domain, authentication will fail. Once you lose the security association, I believe you need to rebuild it by connecting through a wired network. I don't know what causes the machine to lose it's security association. Maybe someone better versed on AD and Windows can chime with an answer. You should be able to trouble shoot this (or at least locate the wayward machines) by either looking at the RADIUS/AD auth failures on your RADIUS server or on the controller side. With Aruba, clients that fail the dot1x auth are usually put in the logon role, so looking at users in that role should give you an indication of who's not functioning properly. RADIUS auth fails are also logged in syslog messages, so mining the logs can also help you find non-working machines. With Aruba, to prove it is an auth issue, use the show auth-tracebuf mac mac-of-failing-machine or show auth-tracebuf failures. The auth-tracebuf rolls over very quickly, so you have to catch it while the authentication is happening. I don't know any Meru commands for troubleshooting. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 stan.bro...@emory.edu AIM: WLANstan Yahoo!: WLANstan MSN: wlans...@hotmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M [neil-john...@uiowa.edu] Sent: Friday, May 15, 2009 3:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x We have similar issues in our library, and haven’t found a solution yet. We are a Meru shop. Users attempting to log on to laptops that are members of the domain get “Unable to find a logon server” errors when the wireless net in the library is being heavily utilized. We are using a Vista SSO GPO configured to first authenticate users to the wireless network and then authenticate them to the domain. One hack we’ve found is to reboot the machine and then don’t attempt to login (don’t hit ctrl-alt-del) until the screen saver starts. We don’t think it’s an wireless issue because Mac’s and Linux systems don’t have problems getting authenticated to the wireless network. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a “Hot” one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don’t do it on any predicable scale. So….. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly
RE: Enforcing and Ensuring Machine Auth 802.1x
We have similar issues in our library, and haven't found a solution yet. We are a Meru shop. Users attempting to log on to laptops that are members of the domain get Unable to find a logon server errors when the wireless net in the library is being heavily utilized. We are using a Vista SSO GPO configured to first authenticate users to the wireless network and then authenticate them to the domain. One hack we've found is to reboot the machine and then don't attempt to login (don't hit ctrl-alt-del) until the screen saver starts. We don't think it's an wireless issue because Mac's and Linux systems don't have problems getting authenticated to the wireless network. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a Hot one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don't do it on any predicable scale. So. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.