DHCP before EAP request

Answered Question
Aug 22nd, 2008

Hi...

I've implemented 802.1x on my network. All workstation are Windows XP.

In some of them, when I plug the machine at the network, the switch doens't send the EAP request imediatelly... the workstation DHCP request occurs first, and after this.. the EAP request happens.

Is this a normal behavior?

Is there a way to force the switch send the EAP request before the workstation generate DHCP request?

Thanks

I have this problem too.
0 votes
Correct Answer by tdrais about 8 years 5 months ago

From what I have seen the switch will send the EAP as soon as the port comes up. This maybe that the PC and the switch are trying to send packets before the port is really completely active.

Make sure you have portfast on the switch since this know to cause issues. You can also attempt to change the dot1x timeout tx-period to something less than the default of 30 seconds. You have almost a 30 second delay in your trace.

A debug on dot1x and ip packet while you capture may indicate if the pc and the switch see things the same way.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
tdrais Fri, 08/22/2008 - 06:12

I think if you span the port on the switch you will find as I did that the switch is actually sending the packets but the PC is ignoring them. Debugs on the switch will also show this. Eventually the PC will initiate a 802.1x message and all will start to work.

I have tried changing some of the dot1x timeout values with limited success.

Tauer Drumond Fri, 08/22/2008 - 06:29

Actually, Im debugging the NIC of the Workstaion, (using Ethereal).

When a plug it on the network, it shows me three or four DHCP packets sent by the workstaion and after this, it receives the request from the switch.

Please, see attachment.

Thanks

Attachment: 
Correct Answer
tdrais Fri, 08/22/2008 - 06:55

From what I have seen the switch will send the EAP as soon as the port comes up. This maybe that the PC and the switch are trying to send packets before the port is really completely active.

Make sure you have portfast on the switch since this know to cause issues. You can also attempt to change the dot1x timeout tx-period to something less than the default of 30 seconds. You have almost a 30 second delay in your trace.

A debug on dot1x and ip packet while you capture may indicate if the pc and the switch see things the same way.

Tauer Drumond Fri, 08/22/2008 - 07:09

hi...

The switch port already had the command "spanning-tree portfas".

The only thing i did was to put the command "dot1x timeout tx-period" to value 1

Now, the EAP request happens first...and after..the DHCP request...

Thank you!!

Tauer

Actions

This Discussion