802.1x User or Computer Authentication never shows username unless disconnected and reconnected while user is logged into computer

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I have an External NPS server setup for RADIUS.  I have my wireless profile setup on the computers to use computer or user authentication.  When a computer boots up and is connected to the wireless Hivemanager shows the machine account as the username which is fine. My expected result was after a user logs into the computer the user would be re-authenticated and Hivemanager would show the user account instead of the computer account.  This is not happening.  The machine account is the only one that seems to be used.  If a user disconnects from the wireless and reconnects then and only then will Hivemanager show the user account.  Am I missing something shouldn't the user be authenticated to RADIUS when logging on?
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
  • confused

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you confirmed that user authentication via 802.1X (not just the user can log on interactively at the login prompt) is actually occurring subsequent to machine authentication?

I suspect that this will not be the case and you will have a client configuration issue such that only machine authentication is taking place.

The easiest way to do this would be at the RADIUS server by installing Wireshark and using RADIUS as a filter.

Alternatively, you could look at the NPS Event Log, use Aerohive's Client Monitor or use a laptop with Wireshark in monitor mode with EAPOL as a filter.

Nick
(Edited)
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
Yes I see the second successful re-authentication for the user when the user logs on.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Thanks for confirming that, Jesse.

I will get this tested under 6.1r6 in a test environment over the next few days to see what is going on and post back here.

Nick
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
Nick I was looking at the active clients list which doesn't appear to show the latest information.  If I go into the client and click the refresh button then it shows that the user is logged into the wireless.  Not sure if that is by design?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you refresh the active clients list a few times, I would expect it to asynchronously show up-to-date information after a few seconds, not something that is always stale. If it is not eventually showing up-to-date information in a 'reasonable' time frame, this would be an issue that should be resolved.
(Edited)
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
OK.  The only way I see the data change even after 10 minutes is to go into the client and push the refresh button per device.  Then the Active client detail screen and the active client list will show the correct information for the devices I manually went into and refreshed.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You should consider opening a support case on this behaviour then.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I have a support case that is in a "holding" state until we could fine somebody else with the same issue.  Our site has been affected by this since the 5.x HiveManager days.   It is more an annoyance that some clients appear as their hostname until you do a client refresh as they are being treated as a member of the correct user profile.

I upgraded the site's on-premise HiveManager to 6.1r6a last week and the issues remains.

Jesse, have you logged a support call on this?
(Edited)
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
I haven't but I can.  Why don't you give me the support number.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Case number 00033193.  FYI it was originally logged on the 14th of November 2012.

What I configured was a user profile for machine authentication using PEAP MSCHAPv2 and another user profile for user authentication.  All users complete machine and user authentication (assuming they are a domain device with valid user credentials) but only some display the correct user authentication user profile.
(Edited)
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
One question for you do the users that show incorrect still get assigned the correct user profile?  Users are not still assigned to a machine policy?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Our problem is cosmetic as the users are being correctly placed into the user authentication user profile but they appear in the clients table in the machine authentication user profile with their computer's hostname.   This issue only affects users being moved from one user profile to another.   Users who authenticate directly to the user authentication user profile (i.e. they only complete user authentication) appear correctly in the client table.
Photo of Jesse Cross

Jesse Cross

  • 16 Posts
  • 0 Reply Likes
OK, that is what I was hoping.  I have opened a ticket and will let you know when I hear something back.