Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[802.1x for dynamic vlan assignment] win2k support

hi...

does anyone know if 802.1x is a protocol (or frame interpretation rather) that is supported on win2000 for any nic?

is there a minimum OS and NIC requirement to able to dynamically assign VLANs based on user by using 802.1x?

regards,

c.

14 REPLIES
New Member

Re: [802.1x for dynamic vlan assignment] win2k support

Microsoft has released an 802.1X supplicant for windows 2000, and I have some basic instructions on setting up a 2k client that I wrote up at http://www.missl.cs.umd.edu/Projects/wireless/2kclient/2kclient.html Any card that has an NDIS5 compatible driver with windows 2000 will work fine. I've tested orinoco, spectrum24, cisco and linksys cards, worked fine. Some prismII cards that didn't have newer drivers did not - but will once the drivers get updated. I'll leave the vlan question to someone else ... -mike

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

let me know if you find anyone who has ever gotten this to work in a wired network. Here's where I'm at. I if reboot the machine, dynamic vlan assignment works fine, except that I need to use roaming profiles and login scripts. Therefore I don't have a dhcp address until I login and the port authenticates. I am told to solve this problem, I need machine authentication to work, that way when the machine come on, it will authenticate, then when the user logs in, it will , in theory, reauthenticate with users credentials, access roaming profiles with ip address from machine vlan, then get new vlan, log user in, release old ip address from machine vlan and get new ipaddress from new vlan, (although I have a case open with microsoft and they haven't verified that this actually works). I can't get machine to authenticate. Apparently when my machines try to authenticate, they send only the host/computer, while acs3.2 is looking for host/computer.domain format, therefore it fails authentication with external database account restrictions error. However in capture from acs, it says that an API call was passed bad parameters. Has anyone else ever seen this?

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

apparently active directory has to be used to support machine authentication.

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

We have this working on a wired test network. You can use Cisco Secure ACS to do machine authentication. You need to make sure your switch supports it all. There is quite a bit to setup on all 3 ends: Server, switch and PC. You need to modify Radius on ACS to use 3 additional fields, configure your switch to point to your ACS server with the proper radius key and setup your pc to use the proper authentication mechanism. Win2k SP4 has the 802.1x client built in. Microsofts web site has a list of network cards that are known to work I believe. Most NICs _should_ work just fine. We have it setup here using 3C905B's and the default windows driver.

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

I've been trying to do the same thing and I have never gotten machine authentication to work. Secondly, I've also never had using the active directory login information work properly either. I was just trying it for testing purposes, following all directions using a domain admin account for the ACS service used to check the user DB and all that. Still nothing worked. What we have working on our test-bed is simple MD5 challenge to the ACS local DB using a Cisco Catalyst 4006 as the 802.1x 'client' and a windows 2000 SP4 machine as the 'supplicant'. We were running into the same problems with regards to logging into domains and whatnot. How do you log into a domain if you can't reach the server because you don't get an IP till after 2 logins? I'm convinced this is an issue with the order in which MS is doing things. IMO the 802.1x authentication should be happening BEFORE everything else, not after :-\

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

you are correct, you have to do machine authentication in order to get an ip address on a "neutral" vlan that can reach servers and logon scripts. Inorder for machine auth to work you have to load a cert for the local machine, not user. Once the machine authenticates, it gets an ip address on the neutral vlan. Once a user trys to login, he logs in gets login scripts, profile, etc with machines ip address, about 10 seconds later, the switch changes vlan. Here's where the problem is, at this point, microsoft client should release/renew for new vlan, client doesn't, microsoft knows of this issue and is writing a patch which should be out 8/15, of you know how that goes.

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

Thanks for the heads up and the call yesterday. It seems management is not prepared to put in the time and energy investment required to administer certificates on our network just for the 10 ports we are going to be using this on.

We have vlan switching working just fine, even without restarting. The IP address is also renewing perfectly after logging off/on. We got that to work by tweaking (lowering) the reauthentication timeouts. For the moment if they need access to domain resource it looks like we will just have them authenticate when they go to access the resource. We don't run any login scripts or use roaming profiles or anything else that would require network use for our users to operate, so I think this will work out ok for the select few machines that this will be running on.

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

PS, for single login you have to use peap

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

when you say without restarting, I'm assuming that a user logs off, the back on he gets a new vlan, did you have to set the SupplicantMode Registry value to get this to work.

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

All we did was change the reauthentication period on the switch to 10 seconds. So now every 10 seconds its doing a check. If you're already logged on it doesn't reprompt for a login, but if you log off then back on, the 802.1x authen. pops up like when you first start the pc. Yes it increases traffic on the link, but the amount of additional traffic being passed (roughly 2 kilobits/sec) compared to the link speed and how few machines we have that will be running this, it's negligible. For some this may not be an option because of the added overhead traffic.

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

When I logoff and login as another user. The PC seems does not send EAPPL-Start message. May I know how to set the SupplicantMode Registry value to get this to work?

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

can't remember exact steps, but go to this location in regedit and I believe create a new key.

1.1.1.1 Software\Microsoft\EAPOL\Parameters\General\Global

1.1.1.1.1 SupplicantMode

REG_DWORD

0: Disable IEEE 802.1X operation.

1: Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all

scenarios.

2: Include learning to determine when to initiate the transmission of EAPOL

packets.

3: Compliant with IEEE 802.1X Specification.

If this parameter is set in the registry, the service should be re-started for the

parameters to take effect.

Default:

This registry value is not created by default.

The default value for this parameter is set in the service as:

Wireless Interfaces: SupplicantMode = 3

Wired Interfaces: SupplicantMode = 2

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

Mike, thanks for your help. It solved the vlan switching issue. But we still face the ip address release and renew issue after switching vlan. May I know the name and url of Microsoft patch? Thanks

New Member

Re: [802.1x for dynamic vlan assignment] win2k support

emails down right now, but it is only out for xp, will get you the ref number later today

457
Views
0
Helpful
14
Replies
CreatePlease login to create content