802.1x port-auth and GuestVlan ~ reauth

Unanswered Question
Feb 3rd, 2009

Hello!

How can I configure switch WS-3750-24TS-S IOS 12.2(35) to

re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1х-compliant client on its port suddenly gets 802.1х-compliant???

There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.

HELP!!!! please.

P.S.: notes from switch-config

SWITCH (config-if)#do sh run int fa 1/0/1

Building configuration...

Current configuration : 112 bytes

!

interface FastEthernet1/0/1

switchport access vlan 111

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 3

dot1x timeout reauth-period 50

dot1x timeout tx-period 5

dot1x max-reauth-req 5

dot1x reauthentication

dot1x guest-vlan 666

spanning-tree portfast

spanning-tree bpdufilter enable

end

SWITCH (config-if)#do sh run int fa 1/0/24

Building configuration...

Current configuration : 112 bytes

!

interface FastEthernet1/0/24

switchport access vlan 666

switchport mode access

end

SWITCH (config-if)#do sh vlan

111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5

666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24

version 12.2

no service pad

service password-encryption

service sequence-numbers

!

hostname SWITCH

!

enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0

!

aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius

aaa accounting session-duration ntp-adjusted

aaa accounting dot1x default start-stop group radius

aaa session-id common

system mtu routing 1500

ip subnet-zero

no ip domain-lookup

ip domain-name XXXXXX.local

!

!

!

crypto pki trustpoint TP-self-signed-2731960704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2731960704

revocation-check none

rsakeypair TP-self-signed-2731960704

!

!

dot1x system-auth-control

!

vlan internal allocation policy ascending

!

---

radius-server host 100.100.100.100 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 0XXX1B675DXXXX17XX06

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Wed, 02/04/2009 - 06:48

It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.

Actions

This Discussion