02-03-2009 11:20 PM - edited 03-10-2019 04:19 PM
Hello!
How can I configure switch WS-3750-24TS-S IOS 12.2(35) to
re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1Ñ -compliant client on its port suddenly gets 802.1Ñ -compliant???
There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.
HELP!!!! please.
P.S.: notes from switch-config
SWITCH (config-if)#do sh run int fa 1/0/1
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet1/0/1
switchport access vlan 111
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout reauth-period 50
dot1x timeout tx-period 5
dot1x max-reauth-req 5
dot1x reauthentication
dot1x guest-vlan 666
spanning-tree portfast
spanning-tree bpdufilter enable
end
SWITCH (config-if)#do sh run int fa 1/0/24
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet1/0/24
switchport access vlan 666
switchport mode access
end
SWITCH (config-if)#do sh vlan
111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5
666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24
version 12.2
no service pad
service password-encryption
service sequence-numbers
!
hostname SWITCH
!
enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0
!
aaa new-model
aaa authentication dot1x default group radius local
aaa authorization network default group radius
aaa accounting session-duration ntp-adjusted
aaa accounting dot1x default start-stop group radius
aaa session-id common
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
ip domain-name XXXXXX.local
!
!
!
crypto pki trustpoint TP-self-signed-2731960704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2731960704
revocation-check none
rsakeypair TP-self-signed-2731960704
!
!
dot1x system-auth-control
!
vlan internal allocation policy ascending
!
---
radius-server host 100.100.100.100 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 0XXX1B675DXXXX17XX06
02-04-2009 06:48 AM
It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.
02-06-2009 02:15 AM
02-06-2009 05:22 AM
Like I said, it's not in the GUI ;-). Look here:
http://www.microsoft.com/technet/network/wired/wiredfaq.mspx
The SupplicantMode key is what you need.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: