802.1x

Unanswered Question
Jul 28th, 2009
User Badges:

I am doing the NAP With 802.1x enforcement. I Set the Guest vlan and auth-fail vlan and set the 802.1x authcation based port in the cisco 3550 switch and configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type. Authcation method is EAP-mschap v2 .Authcation Mode is user authication.


Question 1: When I log on nap client that is a domain computer and inpute the domain password that is ok and the client can obtain corresponding right IP normal.but when i input local username and password in it ,the nap client obtain 169 IP. Sometime I must inpute command ipconfig/release and ipconfig/renew,the client can obtain restricted vlan IP . The client auth-fail,it should Immediately obtain auth-fail vlan IP. Why must inpute command ipconfig/release and ipconfig/renew,?how to solve it ?

Question 2: A group computer inpute user name and password ,the client auth-fail.It should Immediately obtain auth-fail vlan IP,but i must also muaul ipconfig/release and ipconfig/renew,the client can obtain restricted vlan IP 。

Why ?How to solve it ?

Question3:No sccm server ,i only deploy nps server 、 wsus server、 dc and so on ,if client that don't install the new patches that have been in the wsus server is the client put in the restricted vlan ?

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Tue, 07/28/2009 - 21:50
User Badges:
  • Cisco Employee,

I assume in Q1/2 that you are just failing 1X auth, right? Can you confirm the port is enabled in the auth-fail-vlan in a timely manner? FYI, 802.1X is async with things like DHCP in Windows.


WRT Q3, that's my understanding as well, though it's a configurable choice in NPS AFAIK.


lss_ingli Thu, 07/30/2009 - 06:42
User Badges:

i find the port in the auth-fail vlan,but don't get ip.why.thanks!

jafrazie Thu, 07/30/2009 - 06:45
User Badges:
  • Cisco Employee,

Sorry, can't tell from the current description. A few things to remember:


1) 802.1X and DHCP is async with Windows (meaning one has nothing to do with the other on the client).


2) The port isn't "UP" until it's "authorized", and the Auth-Fail-VLAN being deployed is a valid authorization if you configured it.


3) There's no signal from the switch to the client to say "instead of denying you all access, I'm going to enable the port anyway and place you in this VLAN", hence reliance on #1 above essentially.


Hope this helps,

Actions

This Discussion