802.1x and Windows DHCP servers

JCAA · ‎09-04-2023

Hi

I would like to have your support. I configured my 9200L switches with 802.1x access. My architecture is based on Windows 2022 NPS server as radius server and Windows 2022 DHCP servers. My objective is to put in an isolation vlan (999) wired devices who are not compliant with NPS servers. I have no DHCP (ip helper) configured for vlan 999.

When I try with a non compliant computer and I connect it on Gi1/0/2, the laptop seems to be put in vlan 999 but with an IP address of vlan 22. Is-it normal ? Is it an error in my configuration ? My objective is if the computer is not compliant, the device is put in vlan 999 without IP address provided by our DHCP servers

BR

!
aaa new-model
!
aaa group server radius Radius_DOT1X
server name radius1
server name radius2
ip radius source-interface Vlan1000
!
aaa authentication dot1x default group Radius_DOT1X
aaa authorization network default group Radius_DOT1X
aaa accounting network default start-stop group Radius_DOT1X
!
mab request format attribute xxx
!
dot1x system-auth-control
!
vlan 22
name USER22
!
vlan 40
name TOIP40
!
vlan 999
name vlan_isolation
!
!
interface GigabitEthernet1/0/2
switchport access vlan 22
switchport mode access
switchport nonegotiate
switchport voice vlan 40
authentication event fail action authorize vlan 999
authentication event server dead action authorize vlan 999
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 60 dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control action trap
spanning-tree portfast
spanning-tree guard root
!
radius server radius1
address ipv4 10.10.xx.xx auth-port 1812 acct-port 1813
timeout 2
retransmit 2
key xxx
!
radius server wazrradius1
address ipv4 10.20.xx.xx auth-port 1812 acct-port 1813
timeout 2
retransmit 2
key xxx
!

#show authentication sessions interface gigabitEthernet 1/0/2 details
Interface: GigabitEthernet1/0/2
IIF-ID: 0x1B0BE56E
MAC Address: b445.061a.808b
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: b445061a808b
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: xxx
Acct Session ID: Unknown
Handle: 0x2b00002a
Current Policy: POLICY_Gi1/0/2

Local Policies:
Service Template: GUEST_VLAN_Gi1/0/2 (priority 150)
Vlan Group: Vlan: 999
Idle timeout: 60 sec

Server Policies:
Method status list:
Method State
dot1x Stopped
mab Stopped

marce1000 · ‎09-04-2023

>... but with an IP address of vlan 22
- Remember that in many cases the device will remain on using the last given address , to check if vlan 999 is 'dhcp free' ; issue these commands : ipconfig /release
ipconfig /renew

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JCAA · ‎09-04-2023

Hello

I checked. There is no "ip helper" for vlan 999. On the device, I unplug the network cable, I remove IP information on DHCP server, I plug again the cable and.... I received an IP from DHCP on VLAN22...but the communication to other vlan seems to be blocked... but I don't understand why I receive an IP address

marce1000 · ‎09-04-2023

>...I don't understand why I receive an IP address
- To really check if the DHCP server is still involved ; check it's logs for the given mac address when that happens (aligns with my previous reply for testing)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JCAA · ‎09-04-2023

the dhcp server gave an IP address for the network wired card of the laptop. I checked the mac address on the card and on the dhcp server and it's the same....

Arne Bier · ‎09-04-2023

Hi @JCAA

I would change the interface's access VLANto 999 as the default - this would make the endpoint always start out in this VLAN, and stay there if it's not compliant. If the endpoint is compliant, then return the appropriate VLAN via NPS RADIUS Attribute (e.g. VLAN 22).

The challenge with DHCP and VLAN switching is that the endpoints have no idea that the VLAN has been changed. The only way an endpoint would know this, is if the link were bounced, thus causing the IP stack to re-initialise, and perform DORA again.

There is some exception in Windows clients that can be made VLAN aware (look in the advanced options in the 802.1X supplicant).

I don't see this as a major issue for 802.1X supplicants in general, because 802.1X happens at Layer 2 (before the endpoint has an IP address). If NPS can assign the appropriate VLAN as part of 802.1X, then the endpoint will get the correct VLAN, start its DORA cycle and all will be well. Just don't expect the endpoint to know what to do,, when you then subsequently change the VLAN while the endpoint has an IP address assigned. That only works in conjunction with the Computer/User 802.1X authentication where the VLAN Change tick box is selected. In those cases the Windows client will perform another DHCP as it toggles between machine and user auth.