Main Nav

We are in the process of rolling out the Cisco Identity Services Engine as well as a WPA2 SSID, and have run into an issue, I did some research online and have not come up with much so I was hoping someone else could shed some light on this...

By default Windows will first attempt to do machine authentication, and then if this fails it should move on to user authentication. We have Cisco ISE joined to our domain, and so the domain machines that connect to our WPA2 SSID successfully do machine authentication. However, machines that are not joined to the domain that fail machine authentication (which they should) will at times throw up an authentication failure message in Windows, but not prompt for a username/password to authenticate to the SSID. Sometimes they do, sometimes they don't, it is inconsistent. In Windows 7 if we go into the Advanced settings and specify that it use username/pass only, it works fine. I believe that the default is machine and/or username/pass authentication. Which means anyone with a non domain machine (all of our students!) could experience this issue.

We have shut off machine authentication in ISE, and this has kept the issue from recurring, however we would like to leverage machine authentication at some point, but not if it is going to cause issues with the non domain machines.

Has anyone else experienced this? Any remedies?

Thanks in advance.

--
Joe Roth
Networking Group
Binghamton University
Ph. 607-777-7528
Fax 607-777-4009
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

How are the non-domain machines provisioned to use 802.1X? Many places use applications such as Cloudpath XpressConnect or Aruba ClearPass to provision the student or personal clients.

 

We use Windows Group Policy to push the settings & certificates to Windows domain machines. We use a management system to provision Apple computers too. For Apple, we are currently using User Profiles, but will likely move to Login Window Profiles for our University owned Apple machines.

 

Student and personal computers are configured to use user authentication only. Our Aruba wireless infrastructure is not set to enforce machine authentication, but it allows it if that is what the client tries. If we had a student or personal machine give a machine authentication error. We would have then re=provision it with our tools.

 

I don’t know if our experiences will help you, Joe.

 

Bruce Osborne

Network Engineer

IT Network Services

 

(434) 592-4229

 

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

From: Joe Roth [mailto:jroth@BINGHAMTON.EDU]
Sent: Friday, August 03, 2012 4:03 PM
Subject: Dot1x/WPA2 and machine authentication

 

We are in the process of rolling out the Cisco Identity Services Engine as well as a WPA2 SSID, and have run into an issue, I did some research online and have not come up with much so I was hoping someone else could shed some light on this...

 

By default Windows will first attempt to do machine authentication, and then if this fails it should move on to user authentication. We have Cisco ISE joined to our domain, and so the domain machines that connect to our WPA2 SSID successfully do machine authentication. However, machines that are not joined to the domain that fail machine authentication (which they should) will at times throw up an authentication failure message in Windows, but not prompt for a username/password to authenticate to the SSID. Sometimes they do, sometimes they don't, it is inconsistent. In Windows 7 if we go into the Advanced settings and specify that it use username/pass only, it works fine. I believe that the default is machine and/or username/pass authentication. Which means anyone with a non domain machine (all of our students!) could experience this issue.

 

We have shut off machine authentication in ISE, and this has kept the issue from recurring, however we would like to leverage machine authentication at some point, but not if it is going to cause issues with the non domain machines.

 

Has anyone else experienced this? Any remedies?

 

Thanks in advance.

 

--
Joe Roth
Networking Group
Binghamton University
Ph. 607-777-7528
Fax 607-777-4009

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.