I have a Cisco 1812W router. Multiple VLANs are configured. For brevity, VLAN 10 is for authenticated users and VLAN 99 is for guests/unauthenticated users.
One of the LAN ports of the router connects to a Windows XP SP3 Prof. It is for guest and authenticated users. The idea is that the desktop will be in VLAN 99 unless an authenticated user logs in. The authenticated user is supposed to go into VLAN 10 which would be assigned through the RADIUS server. If the user logs off again, the desktop should go back into VLAN 99.
The configuration of the port is as follows:
switchport access vlan 99
dot1x pae authenticator
dot1x port-control auto
dot1x auth-fail vlan 99
dot1x auth-fail max-attempts 1
dot1x guest-vlan 99
Authentication through RADIUS is properly configured and works. The RADIUS server only authenticates users not computers. 802.1x authentication is enabled on the NIC in the desktop.
The computer boots, tries to authenticate as computer which is rejected by the RADIUS server. debug dot1x on the router shows that it receives the reject from the RADIUS server, handles the authentication failure, assigns VLAN 99 to the port and sends an auth_success to the desktop to make it initiate DHCP. The desktop gets an IP address from the VLAN 99 DHCP server and everything is O.K. so far. If a guest logs in the port remains in VLAN 99.
Now the problem: if after booting up an authenticated user logs into the computer, Windows tries to authenticate on the port using the user credentials instead of computer authentication. Windows seems to send EAPOL-start messages for this.
debug dot1x log on the router shows that the router receives these messages but drops them:
dot1x-packet:Dropping EAPOL-Start packet on interface FastEthernet8
So it seems that the router won't accept another EAPOL-Start after it has run the auth-fail procedure.
If the user remains logged in and on the router in EXEC mode I enter "clear dot1x interface fastEthernet 8" the whole authentication process starts from the beginning and the port is properly authenticated into VLAN 10. The RADIUS server and the VLAN assignments are working properly. If the user logs off then the port is then also correctly reassigned to VLAN 99. But if the authenticated users logs in again, same problem as before.
If I read the 802.1X standard correctly sending an EAPOL-Start on a port which has already been authenticated (as that's the state on the Windows site) is standard compliant and should cause a restart of the authentication.
Is there a way get this setup working properly?