802.1x Win supplicant + NAC-L2-IP != VLAN ?

HarrytheBrain · ‎04-24-2006

Hi,

has anyone an idea how to "activate"

VLANs, when using Windows supplicant for

802.1x and NAC-L2-IP?

I know that normally NAC-L2-IP don't support VLANs, but maybe someone figured out a method ?

with regards

harry

jsteffensen · ‎05-04-2006

Hi Harry

Could you please describe your setup a bit more?

I don't know if this answers your question but:

When using switch and 802.1x supplicant you can define VLAN per group or per user on the RADIUS server.

You will need to configure the following on the RADIUS server:

- "Tunnel Medium Type" = 802

- "Tunnel Type" = VLAN

- "Tunnel-Pvt-Group ID"= **NAME of the VLAN - Not Number***

Works with both IAS and ACS and the built in 802.1x supplicant in XP.

This though I've only used in L2 Networks (switches)

Greetings

Jarle

HarrytheBrain · ‎05-05-2006

Hi Jarle,

thanks for your answer.

Your method is correct and will work if you only implement 802.1x.

But in my case, i will do NAC-L2-IP after 802.1x.

Example:

802.1x is fulfilled and the switch put me in the quarantine VLAN. (quarantine because there was no posture validation yet)

Now the Client is doing NAC-L2-IP.

The problem is, i can't change the VLAN after a healthy posture validation, because NAC-L2-IP doesn't support VLANs.

So it doesn't matter if the client is healthy or not, i can't put him into my production VLAN.

It works with the CTA including the supplicant,

but i wanna find a method for Windows supplicant and CTA.

best regards

harry