At Emory, we use Machine Auth in our Healthcare organization to authenticate
wireless carts in the hospitals. The carts only do machine auth for
connectivity; users don't log in to the network - they must use a Citrix
session for any work,
It's my understanding that Machine Auth is strictly a Windows thing; it's not
supported in Mac or Linux. It works is by using the computer name and SID to
authenticate instead of a username/PW. If the computer loses its security
association with the AD domain, authentication will fail. Once you lose the
security association, I believe you need to rebuild it by connecting through a
wired network. I don't know what causes the machine to lose it's security
association. Maybe someone better versed on AD and Windows can chime with an
answer.
You should be able to trouble shoot this (or at least locate the wayward
machines) by either looking at the RADIUS/AD auth failures on your RADIUS
server or on the controller side. With Aruba, clients that fail the dot1x auth
are usually put in the logon role, so looking at users in that role should give
you an indication of who's not functioning properly. RADIUS auth fails are
also logged in syslog messages, so mining the logs can also help you find
non-working machines.
With Aruba, to prove it is an auth issue, use the "show auth-tracebuf mac
<mac-of-failing-machine>" or "show auth-tracebuf failures". The auth-tracebuf
rolls over very quickly, so you have to catch it while the authentication is
happening.
I don't know any Meru commands for troubleshooting.
>>-> Stan Brooks - CWNA/CWSP
Emory University
University Technology Services
404.727.0226
[email protected]
AIM: WLANstan Yahoo!: WLANstan MSN: [email protected]
________________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[[email protected]] On Behalf Of Johnson, Neil M
[[email protected]]
Sent: Friday, May 15, 2009 3:44 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x
We have similar issues in our library, and haven’t found a solution yet. We
are a Meru shop.
Users attempting to log on to laptops that are members of the domain get
“Unable to find a logon server” errors when the wireless net in the library is
being heavily utilized.
We are using a Vista SSO GPO configured to first authenticate users to the
wireless network and then authenticate them to the domain.
One hack we’ve found is to reboot the machine and then don’t attempt to login
(don’t hit ctrl-alt-del) until the screen saver starts.
We don’t think it’s an wireless issue because Mac’s and Linux systems don’t
have problems getting authenticated to the wireless network.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail/MSN: [email protected]
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Jason Appah
Sent: Friday, May 15, 2009 1:01 PM
To: [email protected]
Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x
At our little campus we have about 100 computers that are pure wireless
workstations provided in the library for student use. From time to time they
will refuse to machine auth to the network. Typically they are reported after
the fact as the student will bounce from workstation to workstation until they
find a “Hot” one.
Troubleshooting:
We have tried JAMAP (Just add more access points). (for a stretch there we had
36 to 50 people, including wireless workstations on a single access point).
Modifying the power settings so the machines never sleep.
Updating drivers for the mix of Broadcom, intel and Linksys wireless cards.
All to no avail. We are an all aruba shop and are quite pleased with their
entire line, the system never bogs, higgs or given us any hint of trouble just
the 802.1x problem.
The problem is difficult because there are so many workstations and that they
don’t do it on any predicable scale. So….. any tips for 802.1x machine auth?
Thanks!
Jason Appah
Systems Administrator
Oregon Institute of Technology
http://www.oit.edu
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
