Unanswered Question
Jul 28th, 2009

I am doing the NAP With 802.1x enforcement. I Set the Guest vlan and auth-fail vlan and set the 802.1x authcation based port in the cisco 3550 switch and configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type. Authcation method is EAP-mschap v2 .Authcation Mode is user authication.

Question 1: When I log on nap client that is a domain computer and inpute the domain password that is ok and the client can obtain corresponding right IP normal.but when i input local username and password in it ,the nap client obtain 169 IP. Sometime I must inpute command ipconfig/release and ipconfig/renew,the client can obtain restricted vlan IP . The client auth-fail,it should Immediately obtain auth-fail vlan IP. Why must inpute command ipconfig/release and ipconfig/renew,?how to solve it ?

Question 2: A group computer inpute user name and password ,the client auth-fail.It should Immediately obtain auth-fail vlan IP,but i must also muaul ipconfig/release and ipconfig/renew,the client can obtain restricted vlan IP 。

Why ?How to solve it ?

Question3:No sccm server ,i only deploy nps server 、 wsus server、 dc and so on ,if client that don't install the new patches that have been in the wsus server is the client put in the restricted vlan ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Tue, 07/28/2009 - 21:50

I assume in Q1/2 that you are just failing 1X auth, right? Can you confirm the port is enabled in the auth-fail-vlan in a timely manner? FYI, 802.1X is async with things like DHCP in Windows.

WRT Q3, that's my understanding as well, though it's a configurable choice in NPS AFAIK.

lss_ingli Thu, 07/30/2009 - 06:42

i find the port in the auth-fail vlan,but don't get ip.why.thanks!

jafrazie Thu, 07/30/2009 - 06:45

Sorry, can't tell from the current description. A few things to remember:

1) 802.1X and DHCP is async with Windows (meaning one has nothing to do with the other on the client).

2) The port isn't "UP" until it's "authorized", and the Auth-Fail-VLAN being deployed is a valid authorization if you configured it.

3) There's no signal from the switch to the client to say "instead of denying you all access, I'm going to enable the port anyway and place you in this VLAN", hence reliance on #1 above essentially.

Hope this helps,


This Discussion