Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PEAP w/ Windows 7

Cisco Wireless LAN Controller v4.2.207.0
Microsoft IAS w/ PEAP
Dynamic VLAN switching
Windows 7


Computer  boots up, authenticates with wireless network using computer  credentials. Based on RADIUS policy, computer is assigned to VLAN 10.  Computer grabs IP and wait at Cntrl+Alt+Del screen. User logs in,  computer authenticates using user credentials. Based on RADIUS policy,  computer is assigned to VLAN 20. Group Policy and Login Scripts process.

The problem is that sometimes the GPOs and scripts don't run properly.

I  started a continuous ping to the computer IP before user authentication  and to the computer IP after user authentication. I can see that the  computer boots up in VLAN 10 with 10.10.10.10 IP address. The IP in VLAN  20, 10.10.20.20, isn't responding to pings yet.

After the user  authenticates, the computer loses it's IP momentarily, then regains back  its original IP address (in VLAN 10, not VLAN 20). RADIUS, by this  time, has reported that the user has authenticated successfully, which  assigns the computer it's new VLAN at that time, but the computer  doesn't get it quite yet. The computer then loses it's VLAN 10 IP  address again, and then regains it's VLAN 20 IP address. It appears that the computer/user authenticates with RADIUS in this order: Computer (prelogin), User (after typing user/pass and pressing "Enter"), Computer, User... I don't understand why it's passing the Computer credentials to RADIUS after it's already logging in as a user, but that appears to be messing up the login sequence.

The  problem is that this weird release/renewal of the IP is preventing login  scripts and GPOs from running sometimes. I thought all of these quirky  Dynamic VLAN Switching issues were to have been resolved in Windows 7.

I've  tried updating NIC drivers to no avail. My temporary work around is to  set the wireless policy to only use user authentication. This means that  before the user logs in, the PC has no IP address at all. After they  type their login/password and hit enter, the computer authenticates with  RADIUS, gets assigned a VLAN and gets an IP address in VLAN 20. This  assignment of the IP address in VLAN 20 takes place much faster than  when the computer is first assigned to a different VLAN, VLAN 10.

I'd  like the computer to have an IP address before login so startup scripts  can run and so we can remotely support and manage the devices if they  aren't being used, but are still online. Any ideas? I'd like to determine if the problem lies with the WLC or not.

2 REPLIES

Re: PEAP w/ Windows 7

Hi,

Are you still facing this issue?

thanks,

Vinay

Thanks & Regards
New Member

Re: PEAP w/ Windows 7

I believe so.

TAC suggested I diable Aironet IE extensions and client exclusion. I also set the SSID to broadcast.

On WinXP machines we still don't implement the Dynamic VLAN Switching. We still use PEAP however, and the only hurdle we came across was the machine password expiring every 30 days. As a workaround we set the machine password to expire every 999 days. This made all the difference.

719
Views
0
Helpful
2
Replies
CreatePlease to create content