802.1x and windows 2003 server

Unanswered Question
Mar 11th, 2008

we have a ACS 4.1 install with 5 acs servers, 25 remote switches and over 800 xp users all doing certificate based machine authentication that work perfectly fine. We are also using a guest vlan in our sites to auth fail a guest user onto the guest vlan so they can get internet access. We had to reduce the dot1x timers so dot1x would fail(45 sec) before windows DHCP fails(approx 55 sec) This has worked fine for the last year with all of our xp machines. We put in a new 4510 into our main building last week for user access and we are running into a issue with developer boxes that are running 2003 server or 2003 x64. What happens is that the when they reboot, the authentication process takes too long and they auth fail and get put into the auth fail vlan. They then get authenticated 20 sec later and they are authenticated in the guest vlan and remain stuck there until I bounce the port. I have a TAC case opened just wanted to see if anyone else has seen this or could duplicate. Very weird and specific to 2003 server 2003 server x64 with Broadcom drivers. Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Tue, 03/11/2008 - 08:34

Anytime the VLAN/Subnet is changed for any reason, the machine needs to renew it's IP.

KB826942 took care of this originally for the MSFT supplicant, and is part of the following one as well:

<http://support.microsoft.com/kb/822596>

Not sure this helps a 2003 server machine though. Third-party supplicants don't exist for the OS much AFAIK. Is there a way to insure the supplicants succeed to begin with? If not mission critical, a release/renew would work, or so would a unplug/plug back in, but can imagine how this won't seem as a solution either.

miwitte Tue, 03/11/2008 - 08:52

This is actually only on the reboot. One interesting thing is that some people have dynamic vlans, and they auth-fail, get put into the guest vlan, then authenticate, get put into the correct vlan and are fine. Even unplugging/replugging doesn't seem to do it which it really should as the authentication proccess should start over. Also in their infinite wisdom, security has disabled windows profile caching so a user cannot log onto the box without domain connectivity so they can't disable/re-enable. By reducing the dot1x timeout from 90 seconds to 45 to fix the windows DHCP issue we probably caused this one. Again it seems specific to the newer Dell workstations with newer broadcom drivers.

Actions

This Discussion