07-01-2003 11:43 AM - edited 03-10-2019 07:23 AM
logging on using peap, vlan assignment works correctly, i.e user one gets assigned to vlan 1, user 2 gets assigned to vlan 2, etc. Then if a do shut down log off user 1, the log back on, the switch never receives an eapol logoff and stays in vlan and doesn't reauthenticate user 2 unless I reboot.
any ideas
help would be greatly appreciated
09-03-2004 01:24 AM
Hi,
I do not think a Microsoft supplicant will send a eapol logoff. I have never seen one with my sniffer.
You will have to set a registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Create a dword called "SupplicantMode" that has a hex value of 3.
This will work,
Regards, Gerard
09-03-2004 09:19 AM
That's correct. You need SupplicantMode=3 to get the supplicant to send an EAPOL-Start on behalf of user2.
The ONLY way to currently get a Microsoft supplicant to send a Logoff for user1 though is to modify the registry.
If you need Logoffs, you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This
will ensure that when a user logs off, an EAPOL-Logoff will be sent out. The connection will be
terminated right away.
However, since machine authentication is disabled and/or machine credentials are unavailable, machine authentication will not complete successfully. So if you need machine-auth also, proceed with caution.
Also, when an interactive user then logs back on, a EAPOL-Logoff will be sent again, followed by a EAPOL-Start and authentication will carry on using the users credentials.
Hope this helps.
11-05-2004 06:01 PM
Hi,
I have the same problem but in my caAuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client)se it assigns correct vlan to user but it didn't acquire new ip address, i only used (SupplicantMode = 3) ,do you think if i use also AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client) i solve problem?
I use XP SP1 and ACS 3.2
Thanks
11-08-2004 06:18 AM
The registry settings on your supplicant control how the supplicant operates. It does not apply to DHCP.
Generally speaking, 802.1x and DHCP are not coupled together. Some supplicants have couled them together though, which is what we're referring to here.
The solution for you here is KB826942.
Hope this helps.
11-09-2004 08:01 AM
Hi,
With (SupplicantMode = 3) AND (AuthMode = 0), i solve login/logoff problems wiht different users, but i want also first to do machine authentication and changing AuthMode = 1, machine authenticates with sucess but then when user login i didn't have user authentication and PC remains on Vlan of machine authentication.
I have XP sp2 client, and its wired not wireless.
Any sugestions?
11-09-2004 10:42 AM
SupplicantMode = 3 AND AuthMode = 1 should get you machine-auth, followed by subsequent user-auth.
As for logging out of the machine with these settings, an EAPOL-Logoff will not be sent, so explicit session termination for the user does not occur. What actually happens is an EAPOL-Start (for machine-auth) will be transmitted by the supplicant when logging out, which is effectively implicit session termination for the user, and the explicit session start of machine-auth again.
As far as I know, this has not changed for SP2.
Does this helps?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide