https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316820#M378680 <HTML><HEAD></HEAD><BODY><P>i find the port in the auth-fail vlan,but don't get ip.why.thanks!</P></BODY></HTML> Thu, 30 Jul 2009 13:42:26 GMT lss_ingli 2009-07-30T13:42:26Z https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316818#M378548 <P>I am doing the NAP With 802.1x enforcement. I Set the Guest vlan and auth-fail vlan and set the 802.1x authcation based port in the cisco 3550 switch and configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type. Authcation method is EAP-mschap v2 .Authcation Mode is user authication.</P><P></P><P>Question 1: When I log on nap client that is a domain computer and inpute the domain password that is ok and the client can obtain corresponding right IP normal.but when i input local username and password in it ,the nap client obtain 169 IP. Sometime I must inpute command ipconfig/release and ipconfig/renew,the client can obtain restricted vlan IP . The client auth-fail,it should Immediately obtain auth-fail vlan IP. Why must inpute command ipconfig/release and ipconfig/renew,?how to solve it ?</P><P>Question 2: A group computer inpute user name and password ,the client auth-fail.It should Immediately obtain auth-fail vlan IP,but i must also muaul ipconfig/release and ipconfig/renew,the client can obtain restricted vlan IP ã&#128;&#130;</P><P>Why ?How to solve it ?</P><P>Question3:No sccm server ,i only deploy nps server ã&#128;&#129; wsus serverã&#128;&#129; dc and so on ,if client that don't install the new patches that have been in the wsus server is the client put in the restricted vlan ?</P><P>Thanks.</P> Sun, 10 Mar 2019 23:36:46 GMT https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316818#M378548 lss_ingli 2019-03-10T23:36:46Z https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316819#M378598 <HTML><HEAD></HEAD><BODY><P>I assume in Q1/2 that you are just failing 1X auth, right? Can you confirm the port is enabled in the auth-fail-vlan in a timely manner? FYI, 802.1X is async with things like DHCP in Windows.</P><P></P><P>WRT Q3, that's my understanding as well, though it's a configurable choice in NPS AFAIK.</P><P></P></BODY></HTML> Wed, 29 Jul 2009 04:50:49 GMT https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316819#M378598 jafrazie 2009-07-29T04:50:49Z https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316820#M378680 <HTML><HEAD></HEAD><BODY><P>i find the port in the auth-fail vlan,but don't get ip.why.thanks!</P></BODY></HTML> Thu, 30 Jul 2009 13:42:26 GMT https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316820#M378680 lss_ingli 2009-07-30T13:42:26Z https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316821#M378735 <HTML><HEAD></HEAD><BODY><P>Sorry, can't tell from the current description. A few things to remember:</P><P></P><P>1) 802.1X and DHCP is async with Windows (meaning one has nothing to do with the other on the client).</P><P></P><P>2) The port isn't "UP" until it's "authorized", and the Auth-Fail-VLAN being deployed is a valid authorization if you configured it.</P><P></P><P>3) There's no signal from the switch to the client to say "instead of denying you all access, I'm going to enable the port anyway and place you in this VLAN", hence reliance on #1 above essentially.</P><P></P><P>Hope this helps,</P><P> </P></BODY></HTML> Thu, 30 Jul 2009 13:45:43 GMT https://community.cisco.com/t5/network-access-control/802-1x/m-p/1316821#M378735 jafrazie 2009-07-30T13:45:43Z