cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
699
Views
0
Helpful
3
Replies

802.1x port-auth and GuestVlan ~ reauth

SevkoYaroslav
Level 1
Level 1

Hello!

How can I configure switch WS-3750-24TS-S IOS 12.2(35) to

re-authenticate client on its port with 802.1x? Or How can I teach the switch to understand, then non802.1Ñ…-compliant client on its port suddenly gets 802.1Ñ…-compliant???

There is LAN with RADIUS authentication. GuestVLAN (666) is for remote installation. Client boots from LAN-adapter and gets WindowsXP-image installation. After booting OS Windows XP client is still in GuestVLAN and can get out of it only if I shut/no shut its switch-port or make him reauthenticate manually from the switch. If no GuestVLAN is enabled on the port client with OS Windows XP authenticates in 802.1x fine.

HELP!!!! please.

P.S.: notes from switch-config

SWITCH (config-if)#do sh run int fa 1/0/1

Building configuration...

Current configuration : 112 bytes

!

interface FastEthernet1/0/1

switchport access vlan 111

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 3

dot1x timeout reauth-period 50

dot1x timeout tx-period 5

dot1x max-reauth-req 5

dot1x reauthentication

dot1x guest-vlan 666

spanning-tree portfast

spanning-tree bpdufilter enable

end

SWITCH (config-if)#do sh run int fa 1/0/24

Building configuration...

Current configuration : 112 bytes

!

interface FastEthernet1/0/24

switchport access vlan 666

switchport mode access

end

SWITCH (config-if)#do sh vlan

111 Common active Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5

666 test_for_MS_WDS active Fa1/0/1, Gi1/0/24

version 12.2

no service pad

service password-encryption

service sequence-numbers

!

hostname SWITCH

!

enable secret 5 $1$qFPMXYZHQw87HPd7SUpMohXYZQ0

!

aaa new-model

aaa authentication dot1x default group radius local

aaa authorization network default group radius

aaa accounting session-duration ntp-adjusted

aaa accounting dot1x default start-stop group radius

aaa session-id common

system mtu routing 1500

ip subnet-zero

no ip domain-lookup

ip domain-name XXXXXX.local

!

!

!

crypto pki trustpoint TP-self-signed-2731960704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2731960704

revocation-check none

rsakeypair TP-self-signed-2731960704

!

!

dot1x system-auth-control

!

vlan internal allocation policy ascending

!

---

radius-server host 100.100.100.100 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 0XXX1B675DXXXX17XX06

3 Replies 3

jafrazie
Cisco Employee
Cisco Employee

It's probably b/c the MSFT supplicant isn't configured to send EAPOL-Starts by default. This is controlled with registry keys. Could you modify them and make this part of your standard build? That should do the trick.

Hello!

Thank you for reply!

Was I understand you correctly?

I make some wrong points in Windows XP TCP-properties? (See attachtment, please).

SevkoYaroslav

Like I said, it's not in the GUI ;-). Look here:

http://www.microsoft.com/technet/network/wired/wiredfaq.mspx

The SupplicantMode key is what you need.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: