Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
2
Replies

forced reauthentication following user change on 802.1x

hwon
Level 1
Level 1

‎03-24-2005 10:21 AM - edited ‎03-10-2019 02:04 PM

We have a test 802.1x setup for wired network using IAS and Cat3550. We are using PEAP and assign different VLAN for machine account and user account via radius server and we are having issues with VLAN switching between the two accounts. The correct VLAN is assigned depending on machine is authenticated and when users are authenticated, the problem is the timing from one account to the other.

Let's say a Windows XP machine boots up and authenticates as machine and is assigned VLAN 100. Once a user logs on to the machine with his/her account based on radius policy he/she should be moved to VLAN 200. However, this does not happen right away. It waits for reauthentication timeout and then assigns the correct VLAN. Happens the same when user logs out. It waits for reauthentication timeout and then logs in as machine account and assigns VLAN 100 back to the port.

I have applied MS KB826942 patch and the host seems to renew the IP as soon as it detects VLAN change. But it seems to wait around for reauthentication from the switch. Anyone know how to force reauthentication once user changes?

Labels:
0 Helpful
2 Replies 2

jafrazie
Cisco Employee
Cisco Employee

‎03-24-2005 08:46 PM

802.1x is out of the way for you once 802.1x has authorized a switch port. Hence, 802.1x doesn't do anything else (until re-auth kicks is if you have it configured, as you seem to).

Hence, when a user logs into a machine after machine-auth has been successfully completed, 802.1x on the switch isn't going to do anything, b/c as far as it knows, it's already authorized the port, and has no visibility into what's actually happening on the machine.

Now, if you want to 802.1x-authenticate the user as well, then you need to make sure you have enabled the wired supplicant to send EAPOL-Starts. See here:

<http://www.microsoft.com/WindowsServer2003/techinfo/overview/wififaq.mspx#EAAAA>

p.s. The reason it seems to work after re-auth is b/c the switch is doing initializing the auth conversation on it's own, and the supplicant replies back with cached credentials (also a default of this supplicant).

Hope this helps,

0 Helpful

hwon
Level 1
Level 1
In response to jafrazie

‎03-25-2005 07:36 AM

Following registry settings seems to be the winning combination for what we are trying to accomplish. Thank you for the information.

AuthMode=1

SupplicantMode=3

0 Helpful
Customers Also Viewed These Support Documents