802.1X dyanmic VLAN assignment DHCP issue (Vista client)

Unanswered Question
Apr 18th, 2011

I am labbing dynamic VLAN assignment and have run into a small problem.  The switchport is succesfully changing to the new VLAN, but my test PC seems to get an IP address in the native data VLAN before being moved to the new dynamic assigned VLAN.  So when the switch changes the VLAN the PC keeps its old IP address and nothing talks any more.

Is this a Vista issue?  I thought all of these problems were just issues in XP?  Do I need to tweak any interface dot1x timers?

(Cat3750 with 12.2.55 / ACS5.1.  Everything else is running fine by the way.)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (1 ratings)
Tiago Antunes Mon, 04/18/2011 - 07:34

Hi Nicolas,

It is strange that the PC gets IP address in the default VLAN if the VLAN changes.

Are you sure the VLAn on the switchport is changing as you expect?

If you do "sh run int", do you see the VLAN you expect?

When your PC gets the IP, are you sure it is getting it from the DHCP server or can it be just keeping its old IP?

Do you have DHCP server in the VLAN where you expect the PC to fall into after authentication?

If the VLAN assignment is working correctly, then the client PC traffic will only traverse the port after the Access-Accept is received contianing the new VLAN, and the DHCP Discovery will flow only on the new VLAN, not the default VLAN.

Can you take a sniffer trace spanning the port of the client PC so tat we can see in fact what is happening?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Nicholas Poole Tue, 04/19/2011 - 02:29

if i do a show run on the switchport the config hasnt changed, but i dont expect it to, as its not a permanent config change that you would want to be saved by a different admin user saving the config.  You can see the debug report it is changing the VLAN:

Apr 19 09:22:56.263: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:58.604: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:22:59.560: %DOT1X-5-SUCCESS: Authentication successful for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID
Apr 19 09:22:59.568: %AUTHMGR-5-VLANASSIGN: VLAN 12 assigned to Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:59.585: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
Apr 19 09:23:00.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:23:00.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476

as well as checking with the show int switchport command and it is in v12 which is the dynamically assigned vlan

DHCP server is the cat3750 for all local VLANs

Nicholas Poole Tue, 04/19/2011 - 03:33

well i solved this issue, the cat 3750 dhcp serfer was screwed.  I removed the pool and added it again and it worked.  However, now it is working, it still seems odd that the client can pick up an ip address of the original VLAN before the switchover happens (i have a feeling this might be AD/GPO intentional but im not sure)  but the point is the client does now change to a new IP address as the DHCP server is now working!

thanks for the input.

Actions

Login or Register to take actions

This Discussion

Posted April 18, 2011 at 6:12 AM
Stats:
Replies:3 Avg. Rating:3
Views:625 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard