Extreme Networks

John_Kaftan · ‎02-07-2014

We have a number of laptops that are mobile labs (Tanks) and in the library for students to check out.
We push the 802.1x settings via AD and it works very well. The problem we have run into is that when we have login set to 'user or computer' and check single sign-on it comes up and logs into the network using the computer name just fine. But then when the user logs in it immediately authenticates 802.1x as the user and then proceeds to churn until ultimately failing with "No logon servers found".
The strangest thing about this is that packet captures reveal that while the machine is churning it is sending out ARPs for its gateway. The gateway replies but the client ignores it. It does this 30-40 times before giving up.
If the user has logged onto the machine before they will get on with cached credentials and they will be fine, other than being grumpy over how long it takes to get on. If they have never logged on before they will get the dreaded "No logon servers found"
Doing a 'ARP -a' at the command line reveals the gateway address is listed and the machine is able to browse just fine.
I don't think this is a wireless\policy issue as I set up the client to get our IT_Admins profile no matter what and also after the client finally stops asking for the gateway's mac address everything is fine.
Our work around is to just set it to Computer authentication only. This is a bummer because we lose visibility as well as the ability to apply user based profiles.

Charles_Yang · ‎03-25-2014

Hello John,
The issue you have mentioned it is a Microsoft behavior and not NAC or policy behavior.

assumption:

you have a internal CA setup
you have a NAP server setup.

The solution is to have the workstation NIC settings setup as the following
In NIC property.
1. enable the IEEE 802.1x authentication
under the "Microsoft: protected EAP (PEAP)"settings

Select the "validate server certificate"
connect to these servers >> your internal RADIUS server as FQDN (eg. radius.yourdomain.com)

Hope it helps

Brian_Townsend · ‎02-25-2014

John,
Hello, I hope you are well.
I know you have been working with GTAC on this concern through an actual case. As the NAC engineer has not discovered the answer, a wired engineer has reached out to you to gather some additional files for a better understanding of the problem.
Once the solution is available, we will post it for all to see.

Brian Townsend

Brian_Anderson3 · ‎02-11-2014

What version of Windows are you using and how old are you network card drivers?

John_Kaftan · ‎02-11-2014

Yes I have tried that. Still have the same issue. I have found that if I have logged into the machine before I can get to the desktop. Once on the desktop I fire up Wireshark and I can see the arp request leaving but no return. Extreme taught me how to grab a remote packet capture from the AP (very cool BTW) and the arp reply is making it to the radio anyway.

If I disconnect and reconnect to my VNS I am fine so I think there is some issue with the encryption key changing when the user changes from computer to user but either the client or the AP is not updating. So when the encrypted data hits the Wireless NIC it just gets dropped. Then when I disconnect and reconnect the keys get lined up again and all is well.

Just a theory.

Also, when the machine first comes up and is logged onto the network as a machine I can ping it all day long. As soon as I login I can no longer ping the device. I have it rigged so that an IT Admin policy gets assigned for both computer and any user so throughout the process the policy never changes and it is a policy that is wide open.

Brian_Anderson3 · ‎02-10-2014

In the deployments I've done with user or computer authentication, I haven't selected the single sign on option and it works great. Have you tried removing that checkbox and see if it helps?

Extreme Networks

802.1x and Single Sign-on

802.1x and Single Sign-on