Currently, we're in the process of testing 802.1x on 3550 and 3560 switches. Things are going OK, but we are running into some problems.
At the moment, we've made the following setup:
- configure switchports for dot1x and put them in a guest VLAN after a few seconds of no answer to the EAP messages. This ensures that when our (Novell) workstations boot up, they can find their E-Dir.
- Once a user logs in, the Novell client starts sending EAP start messages. The EAP handshake starts and the client is put in the right VLAN.
- When the user logs off, the client sends an EAP logoff message and the supplicant is no longer connected to the VLAN the user was in.
Now the problem starts. Because the link on the switchport never goes down in this proces and the switch has 'seen' EAP packets, the switch sends an identity request. The client now reponds and tries to identify as a workstation.
As this information is not available in the RADIUS server, the machine is denied access. It now has no network resources and this is a problem.
How would one fix this? Are there any best-practices for this kind of situation? MAB is not really an option because we're got far to many PC's (which is the reason we started thinking about dot1x in the first place).
Hi, we're talking about the Novell client supplicant. This is actually a client which utilizes the Microsoft Windows supplicant but adds a 'Novell PEAP-MSCHAPv2' authentication method.
What I really want, is that the workstation won't respond to EAPoL identity requests once a user is not logged in. This way the workstation gets placed in the Guest VLAN so it stays connected to the Novell tree. I've already been digging in the Windows registry but couldn't find any such setting.
Well, Novell doesn't actually have a supplicant. The client utilizes a third party solution. This can be the Microsoft supplicant. So, I think I have to disable MS machine-auth. This one immediately raises a new question: if I disable machine-auth, what happens after the user logs out and the supplicant consequently generates an EAP logoff? The machine won't be placed in a guest VLAN, because the switch has already seen EAP messages. So the Guest VLAN is not applicable, right??
Correct, the Guest-VLAN is not applicable. If you send an EAPOL-Logoff, the supplicant is telling the switch to terminate it's service. So it obliges.
The good news is, you can get the MSFT supplicant to send a logoff when you actually logout, but you will need to give up machine-auth to make this happen. All depends on what you wanna do with it really.
I've got the EAP-Logoff thing working when the user logs out. However, as I don't want machine-auth, how do I get the system back in the Guest VLAN? Or any other network connection for that matter. This is necessary because I do need a network connection for the workstations (Novell client). I thought about using MAB, but this really increases the administrative burden for us...
It's a global knob to address this type of use-case. What'll happen when you configure the above is not only will the session be torn down after EAPOL-Logoff processing; the switch will continue to send EAPOL-Id-Requests out on the same port, but based on the lack of response to just this new set of requests can put the port into the Guest-VLAN since the client isn't answering.
NOTE: I assume you know what you're getting into here with VLANs, since you might be changing the subnet and the machine may need to release/renew for an address. The Guest-VLAN could be the same as the existing ones though, so up to you.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...