Hi all,

I am testing Cisco Secure User Registration Tool (URT) for use with a radius server and one time passwords (OTP).

Configuration is easy, for using OTP I have switched off "Verify associations while logged on".

Everything works fine with Web-Logon, the client's switchport becomes reconfigured from Logon VLAN to target VLAN.

Then the Java applet connects every 5 minutes to VLAN Policy Server (VPS) and the VPS does not re-verify with radius. OK.

But if the network connection between client and switch is lost and reconnected (i.e. because of standby mode of laptops) the client's switchport is reconfigured to Logon VLAN. Expected behaviour so far.

But the Java applet seems not to recognise this change and still displays the old IP address from target VLAN.

At expiration of next 5 minute interval the applet tries to connect to VPS, but now with source IP from Logon VLAN.

This fails, the VPS records "Error getting secretKey for MAC address" and initiates a new connection to client's Java applet.

At client's desktop only the displayed IP address is changed now, but no input for new user verfication is requested.

And the VPS now tries to verify the new connection with the outdated OTP at the radius server!!!

If the user is busy otherwise and does not take notice of this changes this erroneous verification request with the outdated OTP is repeated every 5 minutes and finally the radius account becomes locked!!!

Is this a bug or is there any way to avoid this?