WoL over 802.1X with Vlan Assignement

s.berthier · ‎12-28-2006

Hello

I have a switch 3560, and an ACS v4

In phase of test i have an infrastructure with 802.1X PEAP with automatic VLAN assignation by the ACS according to the Machine.

My question is:

it possible to implement Wake One Lan on 802.1x with a assigantion of vlan not statics (i.e. without use of command Switchport access vlan XXX)

PS: if I do in statics the VLAN on a port Wake one Lan work without Pb with 802.1X

jafrazie · ‎12-28-2006

This is possible, with or without WoL configured on the port.

It's also possible with or without the "switchport access vlan XXX" command. But FYI, if you remove that command, then you effectively have an implicit "switchport access vlan 1" command. That's OK though, since a port is in no VLAN until 802.1X completes on the port, so if you dynamically assign the VLAN via RADIUS, it'll work fine.

We've seen some customers attempt to use VLAN-1 in this manner for an extra security blanket, since standing best-practices of not trunking/routing/using VLAN-1 may already apply.

Hope this helps,

s.berthier · ‎12-28-2006

In fact when you type "switchport access vlan 69" on a interface and "dot1x control-direction in" and all other command to activate 802.1X, you can use Wake on Lan on the machine connect to the interface and it's work fine.

However when you disable "Switchport access vlan 69" to let ACS attribute VLAN69 for interface who are connect to the PC, the Wake On Lan don't work Fine.

I say that if you use VMPS, the Wake On Lan don't work and perhaps it's the same idea.

In fact i have read on doc and test that Wake on Lan Work with 802.1X and Static assign VLAN but i want to say if it work with 802.1X and Dynamic assign VLAN

If you wan't detail I can give you

Thank for All

jafrazie · ‎12-28-2006

Please feel free to share details, or a TAC case .. b/c this sounds like a software bug. From an 802.1X and/or WoL perspective, there should be no difference in VLAN1 vs. VLAN69, which is effectively what your decription dictates.

Thanks,

s.berthier · ‎12-28-2006

Ok, on interface 0/19 :

Switchport mode access

speed 100

duplex Full

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

spanning-tree portfast

The software use is like "wolcmd" with configuration of

MAC address of the PC

IP of the PC (give by DHCP reservation)

Subnet mask

Remote port Number : 7

The authentication on ACS work fine and on ACS whe have this field

[064] Tunnel-Type

value : VLAN

[065] Tunnel-Medium-Type

Value : 802.

[Tunnel-Private-Group-ID]

Value : 69

In fact, the only difference between config is assignation static or dynamic of VLAN

I don't know if this what you wan't

thanks

jafrazie · ‎12-29-2006

Forget VLAN Assignment for a minute, since it would be well after WoL anyway.

So you're saying with this config:

***

switchport mode access

switchport access vlan 69

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

spanning-tree portfast

***

That WoL works, but WoL doesn't work with this config:

***

switchport mode access

switchport access vlan 1

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

spanning-tree portfast

***

Is that right? If so, you need a TAC case, since this looks like a bug to me ;-).

Thanks,

s.berthier · ‎01-17-2007

Hello

I have a solution.

You can do this by using NAT and for me it's work

Thank you for your help