802.1x Port authentication and dynamic VLAN assignment

abdulr · ‎11-11-2003

802.1x VLAN Assignment Using a RADIUS Server. In supervisor engine software releases prior to software release 7.2(2), once the 802.1x host is authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(2) and later releases, after authentication, an 802.1x host can receive its VLAN assignment from the RADIUS server.

The VLAN assignment feature allows you to restrict users to a specific VLAN. For example, you could put guest users in a VLAN with limited access to the network.

802.1x authenticated ports are assigned to a VLAN based on the username of the host that is connected to the port. This feature works with the RADIUS server that has a database of username-to-VLAN mappings.

Has anyone used this feature. 802.1x port authentication with VLAN assigments based on username.

Is this feature valid even when you use external database (AD) for user authentication. Are there any know issues in implementing this feature relating to performance & DHCP issuing ip address.

Any feedback is appreciated.

mschooley · ‎11-18-2003

lots of known issues, I have gotten it to work on single laptop, everyone else is having some issues,to get it to work in normal environment, I'm assuming that you are going to have roaming users and therefore will be using roamin profiles and probably login scripts, you need to make sure that you have sp 4 or the patch for dot1x, so that the authentication tab show up on your ip properties, for roaming profiles and login scripts to work you have to check machine authentication and be using active directory, this authenticates machine and assigns it to a default vlan that can reach login servers before a user logs in, I also believe that a certificate has to be loaded in local machine store for this to work, haven't tried it without certificate, but works with certificate, the next issues is that once it logs in with user credentials there is another issue, it doesn't release and renew for new vlan, this has been addressed with ms patch q822596, I've gotten this to work successfully on one laptop, although from other posts it appears that there are some issues with patch, another issue is that if you are trying to do single login, and after user logs of, no eapol logoff frame is sent, this is fixed by setting a ms registry of supplicantmode = 3, this is the default value for a wireless interface, but for wired interface it is for some reason set to 2. finally last issue is that there seems to be some issue with stablility, seems that some people have had issues with bluescreens and the svchost.exe process locking up computers. hope this helps, any other feed back from people implementing this and actually having this working in a lan environment would be greatly appreciated. I'll take opposing opinions and possible solutions. thanks