802.1.x guest VLAN problem

etmarcof · ‎11-09-2004

Hi,

I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on

I'm using XP sp2 with:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli

cantModeDWORD Value = 3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo

deDWORD Value = 0

Could someone give some help,please.

Thanks

BR

jafrazie · ‎11-09-2004

The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.

As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).

I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:

*machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.

*user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.

*Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.

Hope this helps.

etmarcof · ‎11-10-2004

Hi Jafrazie,

In 802.1x i don't have possibility to use wake on Lan , so i was thinking in use a guest vlan because when pc is loggedoff PC must be in a VLAN, to be possible software. But i'm forgotting that i can use mach authentication and then user authentication.

My problem now is that on PC with XP (with only sp2) i can't achive mach auth but i can user auth, in one pc with XP SP1 plus some hotfixes i can achives both authentications, in another PC (SP1+some hotfixes+SP2) i can achieve both authentications so i will have to found what hotfix causes that, because i have used the same user in tests.

Another thing i started make tests with same PC's with wireless but i'm having some doubts:

-How can i config switcht port where Access point is connected? (with 802.1x with multi host Or 802.1q trunk)

-Access point and ACS shoul be one Same VLAN?

-I want to use PEAP with VLAN assingn in AP I have mapped diferent ssid's to diferent vlan's, in ACS IETF radius atriubute number 81 = VLAN NAME (for wired) and for wireless 81 = VLAN ID ?

-In AP i choose open autenhtication with EAP and network EAP for each VLAN -Should i choose anything more for PEAP?

Thanks for support.

BR

jafrazie · ‎11-16-2004

Is the SP2 machien a member of your domain?

You cannot currently enable 802.1x on ports that host APs.

For APs vs. switches you could try that. You could also deploy more than one RADIUS Server as a workaround. VLAN Assignment by name on an AP may be available soon.

AP and ACS need not be on same VLAN. Just need to be able to communicate over RADIUS.

For open auth + EAP, you can also evaluate 802.11.

Hope this helps.