Re: eapol logoff not being received by switch

mschooley · ‎07-01-2003

logging on using peap, vlan assignment works correctly, i.e user one gets assigned to vlan 1, user 2 gets assigned to vlan 2, etc. Then if a do shut down log off user 1, the log back on, the switch never receives an eapol logoff and stays in vlan and doesn't reauthenticate user 2 unless I reboot.

any ideas

help would be greatly appreciated

vanbon · ‎09-03-2004

Hi,

I do not think a Microsoft supplicant will send a eapol logoff. I have never seen one with my sniffer.

You will have to set a registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global

Create a dword called "SupplicantMode" that has a hex value of 3.

This will work,

Regards, Gerard

jafrazie · ‎09-03-2004

That's correct. You need SupplicantMode=3 to get the supplicant to send an EAPOL-Start on behalf of user2.

The ONLY way to currently get a Microsoft supplicant to send a Logoff for user1 though is to modify the registry.

If you need Logoffs, you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This

will ensure that when a user logs off, an EAPOL-Logoff will be sent out. The connection will be

terminated right away.

However, since machine authentication is disabled and/or machine credentials are unavailable, machine authentication will not complete successfully. So if you need machine-auth also, proceed with caution.

Also, when an interactive user then logs back on, a EAPOL-Logoff will be sent again, followed by a EAPOL-Start and authentication will carry on using the user’s credentials.

Hope this helps.

etmarcof · ‎11-05-2004

Hi,

I have the same problem but in my caAuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client)se it assigns correct vlan to user but it didn't acquire new ip address, i only used (SupplicantMode = 3) ,do you think if i use also AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client) i solve problem?

I use XP SP1 and ACS 3.2

Thanks

jafrazie · ‎11-08-2004

The registry settings on your supplicant control how the supplicant operates. It does not apply to DHCP.

Generally speaking, 802.1x and DHCP are not coupled together. Some supplicants have couled them together though, which is what we're referring to here.

The solution for you here is KB826942.

<http://www.microsoft.com/downloads/details.aspx?FamilyId=5039EF4A-61E0-4C44-94F0-C25C9DE0ACE9&displaylang=en>

Hope this helps.

etmarcof · ‎11-09-2004

Hi,

With (SupplicantMode = 3) AND (AuthMode = 0), i solve login/logoff problems wiht different users, but i want also first to do machine authentication and changing AuthMode = 1, machine authenticates with sucess but then when user login i didn't have user authentication and PC remains on Vlan of machine authentication.

I have XP sp2 client, and its wired not wireless.

Any sugestions?

jafrazie · ‎11-09-2004

SupplicantMode = 3 AND AuthMode = 1 should get you machine-auth, followed by subsequent user-auth.

As for logging out of the machine with these settings, an EAPOL-Logoff will not be sent, so explicit session termination for the user does not occur. What actually happens is an EAPOL-Start (for machine-auth) will be transmitted by the supplicant when logging out, which is effectively implicit session termination for the user, and the explicit session start of machine-auth again.

As far as I know, this has not changed for SP2.

Does this helps?