802.1x Host Auto-Login

This feature was added in order to solve a problem related to 802.1x Host Auto-Login in a specific circumstance.

Context

A Windows device connects to the network though 802.1x then goes to sleep/hibernation. Once it “wakes up” it does not send a new petition to the radius server. If the network device has send openNAC a LOGOUT, openNAC will treat this connection as closed. Therefore when the device “wakes up” openNAC will identify this “new connection” as a VISIBILITY instead of 802.1x HOST. As a consequence the device might go into the wrong policy and thus VLAN and therefore show an unexpected behaviour, such as no network connection.

Roots of the problem

Network Device: the network device detects that the windows machine “disconnected” from the network. After a predefined amount of time it will send a log out session.

Device: A Windows device connects to the network through 802.1x. When it goes to sleep/hibernation and then “wakes up” the Windows Supplicant for 802.1x authentication does NOT send the login credentials to the network device again. This behaviour happens because the Windows device will try to connect to the network device using the handshake. If this method is successful, the windows device and the network device will be connected to each other.

It was discovered that when the device “wakes up” Windows tries to reconnect with the network device using a WiFi handshake. If this method is successful the device will NOT make an authorization request because from its standpoint it is already connected to the netork device. Therefore, these two devices are connected between each other.

Moreover, if the network device had sent openNAC a LOGOUT, openNAC will treat this connection as closed. Therefore when the device “wakes up” openNAC will identify this “new connection” as a VISIBILITY instead of 802.1x HOST. This might incur in a policy change and errors when executing the plugins.

Solution

Aruba deals with this by storing the keys in a “Machine Authentication Cache (MAC)” for a predefined amount of time. Thus, within this time frame, if the keys are correct the Aruba device will allow the Windows device to connect to the network.

The solution is to implement a system similar to the Aruba’s MAC. In this case if openNAC receives an accounting IpMac coming form the WLC, in which the SWITCHIP, SWITCHPORT and SSID are the same as the previously recorded connection, this petition will be treated as LOGIN. Therefore, under this circumstances, the device will be logged in as before. This special behaviour MUST be turned on as it is off by default. To turn this on go to: Configuration → Configuration vars → Advanced.

Note:
This solution is is only needed in openNAC if the network device validates the network handshake after the Windows machine “wakes up” form the sleep/hibernation. If the network device is able to invalidate these keys and, thus force the Windows devide to send again the petition to the radius server the problem would be solved without the need for this feature.
../../_images/8021x_host_auto_login.png

Considerations

If this behaviour is on, all DHCP packets coming will be discarded when there is 802.1x Host with a Logout tag. This is not a desired behaviour as openNAC is losing visibility.