802.1x port-auth and GuestVlan ~ reauth

SevkoYaroslav — Sun, 10 Mar 2019 23:19:22 GMT

Hello!

How can I configure switch WS-3750-24TS-S IOS 12.2(35) to

re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1Ñ…-compliant client on its port suddenly gets 802.1Ñ…-compliant???

There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.

HELP!!!! please.

P.S.: notes from switch-config

SWITCH (config-if)#do sh run int fa 1/0/1

Building configuration...

Current configuration : 112 bytes

interface FastEthernet1/0/1

switchport access vlan 111

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 3

dot1x timeout reauth-period 50

dot1x timeout tx-period 5

dot1x max-reauth-req 5

dot1x reauthentication

dot1x guest-vlan 666

spanning-tree portfast

spanning-tree bpdufilter enable

end

SWITCH (config-if)#do sh run int fa 1/0/24

Building configuration...

Current configuration : 112 bytes

interface FastEthernet1/0/24

switchport access vlan 666

switchport mode access

end

SWITCH (config-if)#do sh vlan

111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5

666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24

version 12.2

no service pad

service password-encryption

service sequence-numbers

hostname SWITCH

enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0

aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius

aaa accounting session-duration ntp-adjusted

aaa accounting dot1x default start-stop group radius

aaa session-id common

system mtu routing 1500

ip subnet-zero

no ip domain-lookup

ip domain-name XXXXXX.local

crypto pki trustpoint TP-self-signed-2731960704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2731960704

revocation-check none

rsakeypair TP-self-signed-2731960704

dot1x system-auth-control

vlan internal allocation policy ascending

---

radius-server host 100.100.100.100 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 0XXX1B675DXXXX17XX06

Re: 802.1x port-auth and GuestVlan ~ reauth

jafrazie — Wed, 04 Feb 2009 14:48:16 GMT

It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.

Re: 802.1x port-auth and GuestVlan ~ reauth

SevkoYaroslav — Fri, 06 Feb 2009 10:15:41 GMT

Hello!

Thank you for reply!

Was I understand you correctly?

I make some wrong points in Windows XP TCP-properties? (See attachtment, please).

SevkoYaroslav

Re: 802.1x port-auth and GuestVlan ~ reauth

jafrazie — Fri, 06 Feb 2009 13:22:19 GMT

Like I said, it's not in the GUI ;-). Look here:

http://www.microsoft.com/technet/network/wired/wiredfaq.mspx

The SupplicantMode key is what you need.

topic Re: 802.1x port-auth and GuestVlan ~ reauth in Network Access Control

802.1x port-auth and GuestVlan ~ reauth

Re: 802.1x port-auth and GuestVlan ~ reauth

Re: 802.1x port-auth and GuestVlan ~ reauth

Re: 802.1x port-auth and GuestVlan ~ reauth