Currently, we're in the process of testing 802.1x on 3550 and 3560 switches. Things are going OK, but we are running into some problems.
At the moment, we've made the following setup:
- configure switchports for dot1x and put them in a guest VLAN after a few seconds of no answer to the EAP messages. This ensures that when our (Novell) workstations boot up, they can find their E-Dir.
- Once a user logs in, the Novell client starts sending EAP start messages. The EAP handshake starts and the client is put in the right VLAN.
- When the user logs off, the client sends an EAP logoff message and the supplicant is no longer connected to the VLAN the user was in.
Now the problem starts. Because the link on the switchport never goes down in this proces and the switch has 'seen' EAP packets, the switch sends an identity request. The client now reponds and tries to identify as a workstation.
As this information is not available in the RADIUS server, the machine is denied access. It now has no network resources and this is a problem.
How would one fix this? Are there any best-practices for this kind of situation? MAB is not really an option because we're got far to many PC's (which is the reason we started thinking about dot1x in the first place).
Anyone got any clever options? Thanks in advance!