802.1x port-auth and GuestVlan ~ reauth

Unanswered Question
Feb 3rd, 2009
User Badges:


How can I configure switch WS-3750-24TS-S IOS 12.2(35) to

re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1х-compliant client on its port suddenly gets 802.1х-compliant???

There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.

HELP!!!! please.

P.S.: notes from switch-config

SWITCH (config-if)#do sh run int fa 1/0/1

Building configuration...

Current configuration : 112 bytes


interface FastEthernet1/0/1

switchport access vlan 111

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 3

dot1x timeout reauth-period 50

dot1x timeout tx-period 5

dot1x max-reauth-req 5

dot1x reauthentication

dot1x guest-vlan 666

spanning-tree portfast

spanning-tree bpdufilter enable


SWITCH (config-if)#do sh run int fa 1/0/24

Building configuration...

Current configuration : 112 bytes


interface FastEthernet1/0/24

switchport access vlan 666

switchport mode access


SWITCH (config-if)#do sh vlan

111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5

666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24

version 12.2

no service pad

service password-encryption

service sequence-numbers


hostname SWITCH


enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0


aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius

aaa accounting session-duration ntp-adjusted

aaa accounting dot1x default start-stop group radius

aaa session-id common

system mtu routing 1500

ip subnet-zero

no ip domain-lookup

ip domain-name XXXXXX.local




crypto pki trustpoint TP-self-signed-2731960704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2731960704

revocation-check none

rsakeypair TP-self-signed-2731960704



dot1x system-auth-control


vlan internal allocation policy ascending



radius-server host auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 0XXX1B675DXXXX17XX06

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Wed, 02/04/2009 - 06:48
User Badges:
  • Cisco Employee,

It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.

SevkoYaroslav Fri, 02/06/2009 - 02:15
User Badges:


Thank you for reply!

Was I understand you correctly?

I make some wrong points in Windows XP TCP-properties? (See attachtment, please).



This Discussion