Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6549
Views
35
Helpful
19
Replies

Dynamic Vlan assignment in wired network - NPS 2012 server

Go to solution
ITexpert
Level 3
Level 3

‎03-15-2018 05:40 AM - edited ‎03-08-2019 02:16 PM

Hello Guys,

 

I am in my lab environment,  I have Cisco 800 series router and L2 cisco 2960G switch. I configure Intervlan Routing through switch and Microsoft 2012 server as a DHCP,DNS, AD and NPS server.

 

Everything is working great except Dynamic vlan assignment.I followed this link to implement it.

 

https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/

 

I have a questions :

1.  where aaa commands should be configure , On a Router or Switch ?

I configure everything on switch but its not working.

 

Thanks

 

 

Labels:
0 Helpful
19 Replies 19

Go to solution
ITexpert
Level 3
Level 3
In response to Deepak Kumar

‎03-16-2018 06:50 AM

This is exactly what is happening,

 

I boot the domain joined machine, I login with username and NPS audit success and PC got right vlan when i signout right away NPS server shows Auth failed and switch moved it to 40 guest vlan. After this even after signin with same username switch never send any packets to NPS server.

 

Is there any command that can enable switch to send reauthenticate everytime when we signin.

 

 

 

0 Helpful

Go to solution
ITexpert
Level 3
Level 3
In response to Deepak Kumar

‎03-16-2018 07:41 AM

Hello Deepak,

 

After removing this command,  authentication event fail authorize vlan 40 (guest vlan)

 

Its working perfect.

 

Only thing is now when i login with local credentials or user name that is not in NPS server policy , port goes down.

 

is there any other way ?

 

Thanks

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to ITexpert

‎03-17-2018 07:08 AM - edited ‎03-17-2018 07:11 AM

Users who fail authentication remain in the auth fail VLAN until the next reauthentication attempt. A port in the auth fail VLAN tries to reauthenticate at configured intervals (the default is 60 seconds). If reauthentication fails, the port remains in the auth fail VLAN. If reauthentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable reauthentication. If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. It is recommended that you keep reauthentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event.

Remove this command

dot1x max-req 1 ! quit trying to re-authenticate after 1 try

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
ITexpert
Level 3
Level 3
In response to Deepak Kumar

‎03-19-2018 06:15 AM

Hello Deepak,

 

Its working now, I just move that port from multi-host mode to single host mode.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card