does anyone know if 802.1x is a protocol (or frame interpretation rather) that is supported on win2000 for any nic?
is there a minimum OS and NIC requirement to able to dynamically assign VLANs based on user by using 802.1x?
Microsoft has released an 802.1X supplicant for windows 2000, and I have some basic instructions on setting up a 2k client that I wrote up at http://www.missl.cs.umd.edu/Projects/wireless/2kclient/2kclient.html Any card that has an NDIS5 compatible driver with windows 2000 will work fine. I've tested orinoco, spectrum24, cisco and linksys cards, worked fine. Some prismII cards that didn't have newer drivers did not - but will once the drivers get updated. I'll leave the vlan question to someone else ... -mike
let me know if you find anyone who has ever gotten this to work in a wired network. Here's where I'm at. I if reboot the machine, dynamic vlan assignment works fine, except that I need to use roaming profiles and login scripts. Therefore I don't have a dhcp address until I login and the port authenticates. I am told to solve this problem, I need machine authentication to work, that way when the machine come on, it will authenticate, then when the user logs in, it will , in theory, reauthenticate with users credentials, access roaming profiles with ip address from machine vlan, then get new vlan, log user in, release old ip address from machine vlan and get new ipaddress from new vlan, (although I have a case open with microsoft and they haven't verified that this actually works). I can't get machine to authenticate. Apparently when my machines try to authenticate, they send only the host/computer, while acs3.2 is looking for host/computer.domain format, therefore it fails authentication with external database account restrictions error. However in capture from acs, it says that an API call was passed bad parameters. Has anyone else ever seen this?
We have this working on a wired test network. You can use Cisco Secure ACS to do machine authentication. You need to make sure your switch supports it all. There is quite a bit to setup on all 3 ends: Server, switch and PC. You need to modify Radius on ACS to use 3 additional fields, configure your switch to point to your ACS server with the proper radius key and setup your pc to use the proper authentication mechanism. Win2k SP4 has the 802.1x client built in. Microsofts web site has a list of network cards that are known to work I believe. Most NICs _should_ work just fine. We have it setup here using 3C905B's and the default windows driver.
I've been trying to do the same thing and I have never gotten machine authentication to work. Secondly, I've also never had using the active directory login information work properly either. I was just trying it for testing purposes, following all directions using a domain admin account for the ACS service used to check the user DB and all that. Still nothing worked. What we have working on our test-bed is simple MD5 challenge to the ACS local DB using a Cisco Catalyst 4006 as the 802.1x 'client' and a windows 2000 SP4 machine as the 'supplicant'. We were running into the same problems with regards to logging into domains and whatnot. How do you log into a domain if you can't reach the server because you don't get an IP till after 2 logins? I'm convinced this is an issue with the order in which MS is doing things. IMO the 802.1x authentication should be happening BEFORE everything else, not after :-\
you are correct, you have to do machine authentication in order to get an ip address on a "neutral" vlan that can reach servers and logon scripts. Inorder for machine auth to work you have to load a cert for the local machine, not user. Once the machine authenticates, it gets an ip address on the neutral vlan. Once a user trys to login, he logs in gets login scripts, profile, etc with machines ip address, about 10 seconds later, the switch changes vlan. Here's where the problem is, at this point, microsoft client should release/renew for new vlan, client doesn't, microsoft knows of this issue and is writing a patch which should be out 8/15, of you know how that goes.
Thanks for the heads up and the call yesterday. It seems management is not prepared to put in the time and energy investment required to administer certificates on our network just for the 10 ports we are going to be using this on.
We have vlan switching working just fine, even without restarting. The IP address is also renewing perfectly after logging off/on. We got that to work by tweaking (lowering) the reauthentication timeouts. For the moment if they need access to domain resource it looks like we will just have them authenticate when they go to access the resource. We don't run any login scripts or use roaming profiles or anything else that would require network use for our users to operate, so I think this will work out ok for the select few machines that this will be running on.
when you say without restarting, I'm assuming that a user logs off, the back on he gets a new vlan, did you have to set the SupplicantMode Registry value to get this to work.
All we did was change the reauthentication period on the switch to 10 seconds. So now every 10 seconds its doing a check. If you're already logged on it doesn't reprompt for a login, but if you log off then back on, the 802.1x authen. pops up like when you first start the pc. Yes it increases traffic on the link, but the amount of additional traffic being passed (roughly 2 kilobits/sec) compared to the link speed and how few machines we have that will be running this, it's negligible. For some this may not be an option because of the added overhead traffic.
When I logoff and login as another user. The PC seems does not send EAPPL-Start message. May I know how to set the SupplicantMode Registry value to get this to work?
can't remember exact steps, but go to this location in regedit and I believe create a new key.
0: Disable IEEE 802.1X operation.
1: Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all
2: Include learning to determine when to initiate the transmission of EAPOL
3: Compliant with IEEE 802.1X Specification.
If this parameter is set in the registry, the service should be re-started for the
parameters to take effect.
This registry value is not created by default.
The default value for this parameter is set in the service as:
Wireless Interfaces: SupplicantMode = 3
Wired Interfaces: SupplicantMode = 2
Mike, thanks for your help. It solved the vlan switching issue. But we still face the ip address release and renew issue after switching vlan. May I know the name and url of Microsoft patch? Thanks