Dot1x: what to do after EAPoL logoff?

Unanswered Question

Hi All,


Currently, we're in the process of testing 802.1x on 3550 and 3560 switches. Things are going OK, but we are running into some problems.


At the moment, we've made the following setup:


- configure switchports for dot1x and put them in a guest VLAN after a few seconds of no answer to the EAP messages. This ensures that when our (Novell) workstations boot up, they can find their E-Dir.


- Once a user logs in, the Novell client starts sending EAP start messages. The EAP handshake starts and the client is put in the right VLAN.


- When the user logs off, the client sends an EAP logoff message and the supplicant is no longer connected to the VLAN the user was in.


Now the problem starts. Because the link on the switchport never goes down in this proces and the switch has 'seen' EAP packets, the switch sends an identity request. The client now reponds and tries to identify as a workstation.


As this information is not available in the RADIUS server, the machine is denied access. It now has no network resources and this is a problem.


How would one fix this? Are there any best-practices for this kind of situation? MAB is not really an option because we're got far to many PC's (which is the reason we started thinking about dot1x in the first place).


Anyone got any clever options? Thanks in advance!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Tue, 04/29/2008 - 13:32
User Badges:
  • Cisco Employee,

What supplicant are we talking about here?


The switch processes an EAPOL-Logoff frame by denying network access immediately, and beginning the process of looking for a supplicant all over again (hence the obligatory EAPOL-Identity-Requests).


It sounds like you're failing machine-auth, so we should see whether you can get machine-auth working, or disable it altogether.


Let me know more details,



Hi, we're talking about the Novell client supplicant. This is actually a client which utilizes the Microsoft Windows supplicant but adds a 'Novell PEAP-MSCHAPv2' authentication method.


What I really want, is that the workstation won't respond to EAPoL identity requests once a user is not logged in. This way the workstation gets placed in the Guest VLAN so it stays connected to the Novell tree. I've already been digging in the Windows registry but couldn't find any such setting.


Thanks in advance.

jafrazie Wed, 04/30/2008 - 19:08
User Badges:
  • Cisco Employee,

Novell has a supplicant? Where can one download it? If it utilizes the MSFT supplicant, then it should shut it off to not do machine-auth if not desired.


You should be able to configure the MSFT supplicant to not do machine-auth. Disable machine-auth in the Windows supplicant (if the Novell one uses it .. kinda confusing here).

Well, Novell doesn't actually have a supplicant. The client utilizes a third party solution. This can be the Microsoft supplicant. So, I think I have to disable MS machine-auth. This one immediately raises a new question: if I disable machine-auth, what happens after the user logs out and the supplicant consequently generates an EAP logoff? The machine won't be placed in a guest VLAN, because the switch has already seen EAP messages. So the Guest VLAN is not applicable, right??

jafrazie Wed, 05/07/2008 - 06:32
User Badges:
  • Cisco Employee,

Correct, the Guest-VLAN is not applicable. If you send an EAPOL-Logoff, the supplicant is telling the switch to terminate it's service. So it obliges.


The good news is, you can get the MSFT supplicant to send a logoff when you actually logout, but you will need to give up machine-auth to make this happen. All depends on what you wanna do with it really.


Let me know if you need help,

I've got the EAP-Logoff thing working when the user logs out. However, as I don't want machine-auth, how do I get the system back in the Guest VLAN? Or any other network connection for that matter. This is necessary because I do need a network connection for the workstations (Novell client). I thought about using MAB, but this really increases the administrative burden for us...

jafrazie Thu, 05/08/2008 - 06:28
User Badges:
  • Cisco Employee,

You need to configure the following:


dot1x guest-vlan supplicant


It's a global knob to address this type of use-case. What'll happen when you configure the above is not only will the session be torn down after EAPOL-Logoff processing; the switch will continue to send EAPOL-Id-Requests out on the same port, but based on the lack of response to just this new set of requests can put the port into the Guest-VLAN since the client isn't answering.


NOTE: I assume you know what you're getting into here with VLANs, since you might be changing the subnet and the machine may need to release/renew for an address. The Guest-VLAN could be the same as the existing ones though, so up to you.

Actions

This Discussion