+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, Odd BlueSocket authentication issue with a MacBook in Technical; The majority of our laptops are Windows-based so transparent NTLM authentication is the obvious authentication mechanism to use. This has ...
  1. #1

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Odd BlueSocket authentication issue with a MacBook

    The majority of our laptops are Windows-based so transparent NTLM authentication is the obvious authentication mechanism to use. This has never really worked on OS X so the two Apple laptops we have simply use browser authentication. Our sixth form users that have Macs also use the browser to authenticate.

    The odd authentication issue is with our MacBook (we also have an iBook which works fine). The user authenticates, does a bit of whatever and then the laptop will magically authenticate itself using its computer account via transparent NTLM auth. The computer account isn't an account that is authorised for wifi access so the laptop gets quarantined until you re-authenticate. This is slightly annoying!

    This has been happening for ages but I figured I should probably fix it at some point... I'm now lost for ideas. The system is a BlueSecure BSC-400 fully patched up.

    Any takers?

  2. #2

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    17
    How does NTLM auth work?

    We use radius on our main DC and Bluesocket transparent 802.1x for our windows machines - I've not implemented it yet but 802.1x works pretty well on 10.6 but 10.5 seems less reliable on our macs, you can have machine > user or just machine credentials authenticate.

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    Quote Originally Posted by nicklec View Post
    How does NTLM auth work?
    Magic.

    It monitors the network traffic from the client and passes the authentication stuff to the controller so that they can authenticate against AD.

    We use radius on our main DC and Bluesocket transparent 802.1x for our windows machines - I've not implemented it yet but 802.1x works pretty well on 10.6 but 10.5 seems less reliable on our macs, you can have machine > user or just machine credentials authenticate.
    I don't really want to have to configure another authentication mechanism for one client... especially given that my other Mac clients work as expected.

  4. #4

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    17
    What OS are you using on the macs? I ask since the 'ibook' will be PPC (limited to 10.5) where the macbook could be different OS.

  5. #5

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    @nicklec: They are running a different OS but I cannot for the life of me remember which version. I suspect they handle the AD joining slightly differently... just differently enough to mess things up but I doubt that there is much I can do about that.

    I have been having a think about this and am wondering if I should add the computer account to a role. This would allow authentication to happen... I'm just wondering if there is a downside.

  6. #6

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    17
    Our directory bound Macs use an 'edge to edge' SSID so they don't have roles as such, do you have roles that restrict ports etc?

  7. #7

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    Got the Mac in front of me now... its hard disk has seriously died (imagine a very loud clicking thing)... so I have installed a new disk and re-installed everything and the problem still occurs.

    The role I am testing with (the same one that the staff member uses) does indeed have restricted ports. I read somewhere that noisey Macs can cause the BSC to quarantine the client because it thinks that an attack of some sort is under way. Nothing immediately jumps out of the logs though.

    @nicklec... What do you mean an 'edge to edge' SSID?

    BTW - The Mac is running 10.4.11 and is fully patched.

  8. #8

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    17
    Sorry for slow reply, in the SSID setup 'edge to edge' can be ticked so that the AP just acts as a switch directly to your network so that traffic is not tunneled through the controller.

  9. #9

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    Quote Originally Posted by nicklec View Post
    Sorry for slow reply, in the SSID setup 'edge to edge' can be ticked so that the AP just acts as a switch directly to your network so that traffic is not tunneled through the controller.
    I see that now but I'm not too keen on using that setting... it kind of defeats the point of the stupidly expensive BlueSecure box.

    BTW - My iBook running the same version of the OS has caught the bug too

    It has to be due to me authenticating correctly via the web and then the computer magically authenticating via its computer account :-\

  10. #10

    Join Date
    May 2008
    Posts
    213
    Thank Post
    2
    Thanked 27 Times in 27 Posts
    Rep Power
    17
    Well we have 802.1n APs (30something APs) everywhere so 2x GbE links into the BSC is not going to let our domain machines use all the bandwidth; we still use BSC firewall for less intensive devices/users. The BSC is also handling 802.1x, radius authentication and for a few more weeks transparent proxy!

  11. #11

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    Quote Originally Posted by nicklec View Post
    Well we have 802.1n APs (30something APs) everywhere so 2x GbE links into the BSC is not going to let our domain machines use all the bandwidth; we still use BSC firewall for less intensive devices/users. The BSC is also handling 802.1x, radius authentication and for a few more weeks transparent proxy!
    I only use 802.11a/g APs and I'm mean so I throttle connections too. I think that I will probably have to switch to 802.11x authentication over the summer break :-\

SHARE:
+ Post New Thread

Similar Threads

  1. Odd Smartboard issue
    By localzuk in forum Hardware
    Replies: 7
    Last Post: 17th August 2010, 11:04 PM
  2. Smartboard - very odd issue
    By biotechlady in forum Hardware
    Replies: 11
    Last Post: 3rd December 2009, 04:42 PM
  3. Odd VNC Issue
    By netadmin in forum Windows
    Replies: 3
    Last Post: 23rd December 2008, 08:01 PM
  4. [CLOSED] Bug/Error: Odd link issue
    By tom_newton in forum EduGeek.net Site Problems
    Replies: 6
    Last Post: 15th November 2008, 10:15 AM
  5. Odd Issue with EEE-PC 4G
    By FragglePete in forum Netbooks, PDA and Phones
    Replies: 0
    Last Post: 28th August 2008, 09:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •