PEAP w/ Windows 7

Unanswered Question
Jul 22nd, 2010

Cisco Wireless LAN Controller v4.2.207.0
Microsoft IAS w/ PEAP
Dynamic VLAN switching
Windows 7

Computer  boots up, authenticates with wireless network using computer  credentials. Based on RADIUS policy, computer is assigned to VLAN 10.  Computer grabs IP and wait at Cntrl+Alt+Del screen. User logs in,  computer authenticates using user credentials. Based on RADIUS policy,  computer is assigned to VLAN 20. Group Policy and Login Scripts process.

The problem is that sometimes the GPOs and scripts don't run properly.

I  started a continuous ping to the computer IP before user authentication  and to the computer IP after user authentication. I can see that the  computer boots up in VLAN 10 with IP address. The IP in VLAN  20,, isn't responding to pings yet.

After the user  authenticates, the computer loses it's IP momentarily, then regains back  its original IP address (in VLAN 10, not VLAN 20). RADIUS, by this  time, has reported that the user has authenticated successfully, which  assigns the computer it's new VLAN at that time, but the computer  doesn't get it quite yet. The computer then loses it's VLAN 10 IP  address again, and then regains it's VLAN 20 IP address. It appears that the computer/user authenticates with RADIUS in this order: Computer (prelogin), User (after typing user/pass and pressing "Enter"), Computer, User... I don't understand why it's passing the Computer credentials to RADIUS after it's already logging in as a user, but that appears to be messing up the login sequence.

The  problem is that this weird release/renewal of the IP is preventing login  scripts and GPOs from running sometimes. I thought all of these quirky  Dynamic VLAN Switching issues were to have been resolved in Windows 7.

I've  tried updating NIC drivers to no avail. My temporary work around is to  set the wireless policy to only use user authentication. This means that  before the user logs in, the PC has no IP address at all. After they  type their login/password and hit enter, the computer authenticates with  RADIUS, gets assigned a VLAN and gets an IP address in VLAN 20. This  assignment of the IP address in VLAN 20 takes place much faster than  when the computer is first assigned to a different VLAN, VLAN 10.

I'd  like the computer to have an IP address before login so startup scripts  can run and so we can remotely support and manage the devices if they  aren't being used, but are still online. Any ideas? I'd like to determine if the problem lies with the WLC or not.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.gamble Tue, 05/31/2011 - 03:50

I believe so.

TAC suggested I diable Aironet IE extensions and client exclusion. I also set the SSID to broadcast.

On WinXP machines we still don't implement the Dynamic VLAN Switching. We still use PEAP however, and the only hurdle we came across was the machine password expiring every 30 days. As a workaround we set the machine password to expire every 999 days. This made all the difference.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode