802.1x port authentication with Windows XP SP3

Unanswered Question
Mar 12th, 2009

I have a Cisco 1812W router. Multiple VLANs are configured. For brevity, VLAN 10 is for authenticated users and VLAN 99 is for guests/unauthenticated users.

One of the LAN ports of the router connects to a Windows XP SP3 Prof. It is for guest and authenticated users. The idea is that the desktop will be in VLAN 99 unless an authenticated user logs in. The authenticated user is supposed to go into VLAN 10 which would be assigned through the RADIUS server. If the user logs off again, the desktop should go back into VLAN 99.

The configuration of the port is as follows:

interface FastEthernet8

switchport access vlan 99

dot1x pae authenticator

dot1x port-control auto

dot1x auth-fail vlan 99

dot1x auth-fail max-attempts 1

dot1x guest-vlan 99


Authentication through RADIUS is properly configured and works. The RADIUS server only authenticates users not computers. 802.1x authentication is enabled on the NIC in the desktop.

The computer boots, tries to authenticate as computer which is rejected by the RADIUS server. debug dot1x on the router shows that it receives the reject from the RADIUS server, handles the authentication failure, assigns VLAN 99 to the port and sends an auth_success to the desktop to make it initiate DHCP. The desktop gets an IP address from the VLAN 99 DHCP server and everything is O.K. so far. If a guest logs in the port remains in VLAN 99.

Now the problem: if after booting up an authenticated user logs into the computer, Windows tries to authenticate on the port using the user credentials instead of computer authentication. Windows seems to send EAPOL-start messages for this.

debug dot1x log on the router shows that the router receives these messages but drops them:

dot1x-packet:Dropping EAPOL-Start packet on interface FastEthernet8

So it seems that the router won't accept another EAPOL-Start after it has run the auth-fail procedure.

If the user remains logged in and on the router in EXEC mode I enter "clear dot1x interface fastEthernet 8" the whole authentication process starts from the beginning and the port is properly authenticated into VLAN 10. The RADIUS server and the VLAN assignments are working properly. If the user logs off then the port is then also correctly reassigned to VLAN 99. But if the authenticated users logs in again, same problem as before.

If I read the 802.1X standard correctly sending an EAPOL-Start on a port which has already been authenticated (as that's the state on the Windows site) is standard compliant and should cause a restart of the authentication.

Is there a way get this setup working properly?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattkaya56 Thu, 03/12/2009 - 14:16

Authenticated VLAN in your setup appears to be provisioned by Radius using a Radius Tunnel attribute & Auth fail VLAN by the switch - Is this correct?

Gerald Vogt Thu, 03/12/2009 - 15:10

Correct. In the current setup the RADIUS server assigns VLANs (there are other VLANs) with any successful authentication.

Before, I have tested a setup with "switchport access vlan 10" to put the main group of authenticated users into VLAN 10 and only assign the other authenticated VLANs by RADIUS. But this test setup has the same issues.

I have also tested to set up the RADIUS server to accept any authentication request and and assign the guest VLAN in the default rule of the RADIUS server. This, too, did not work. Same problem. If someone logs in on the desktop the router will drop the EAPOL-Start packet for the user authentication on the previously guest-authenticated port.

mattkaya56 Thu, 03/12/2009 - 18:40

If machine/computer authentication has taken place via 802.1x the port is already in open state. Could you try to repair the network connection to see if user is authenticated (on the right vlan)?

Gerald Vogt Thu, 03/12/2009 - 19:58

As I've mentioned before anything which puts the port back in to initial state will result in the correct VLAN authentication. You can clear authentication on the router, you can unplug the cable. Repair would also work as it takes the network card offline for a moment. Of course, people don't have permission to repair the connection on the computer. They have limited user accounts. And it is no solution to the problem.


This Discussion