02-03-2009 11:20 PM - edited 03-10-2019 04:19 PM
Hello!
How can I configure switch WS-3750-24TS-S IOS 12.2(35) to
re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1Ñ -compliant client on its port suddenly gets 802.1Ñ -compliant???
There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.
HELP!!!! please.
P.S.: notes from switch-config
SWITCH (config-if)#do sh run int fa 1/0/1
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet1/0/1
switchport access vlan 111
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout reauth-period 50
dot1x timeout tx-period 5
dot1x max-reauth-req 5
dot1x reauthentication
dot1x guest-vlan 666
spanning-tree portfast
spanning-tree bpdufilter enable
end
SWITCH (config-if)#do sh run int fa 1/0/24
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet1/0/24
switchport access vlan 666
switchport mode access
end
SWITCH (config-if)#do sh vlan
111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5
666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24
version 12.2
no service pad
service password-encryption
service sequence-numbers
!
hostname SWITCH
!
enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0
!
aaa new-model
aaa authentication dot1x default group radius local
aaa authorization network default group radius
aaa accounting session-duration ntp-adjusted
aaa accounting dot1x default start-stop group radius
aaa session-id common
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
ip domain-name XXXXXX.local
!
!
!
crypto pki trustpoint TP-self-signed-2731960704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2731960704
revocation-check none
rsakeypair TP-self-signed-2731960704
!
!
dot1x system-auth-control
!
vlan internal allocation policy ascending
!
---
radius-server host 100.100.100.100 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 0XXX1B675DXXXX17XX06
02-04-2009 06:48 AM
It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.
02-06-2009 02:15 AM
02-06-2009 05:22 AM
Like I said, it's not in the GUI ;-). Look here:
http://www.microsoft.com/technet/network/wired/wiredfaq.mspx
The SupplicantMode key is what you need.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide