Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PEAP Windows Logon -Machine & User Authentication -Multiple VLANS

Windows Client <==> Access Point <==> Radius <==> Windows DC/AD

Windows OS : XP Client SP 2

Supplicant : Built-in Wireless Supplicant

Authentication : 802.1x PEAP(MS-Chapv2)

Access Point : Aironet 1200

Radius : ACS 3.3

Adaptors : Built-in

CA : Microsoft

I have a single SSID and am using a RADIUS server to assign users to different VLANs. When a computer boots up, machine authentication is used and the ACS tells the access point which VLAN to be on (i.e. VLAN1 192.168.1.x). Then when the user logs on the ACS tells the access point to switch the computer to a different VLAN (i.e. VLAN2 192.168.2.x). The problem is that the windows logon scripts do not run. Once the computer finishes booting, I quickly check its IP address and it still thinks it is on 192.168.1.x (VLAN1) when it is actually on VLAN2 and needs a 192.168.2.x address. If I give the machine time, it will eventually switch its IP to the 192.168.2.x address.

Has anyone else run across this? I assume that there is no fix and that it is a Microsoft problem. Obviously, it can't do the logon script if it does not have a valid IP for its VLAN. I also never know who will be logging into the computer to put the computer in the correct VLAN ahead of time.

Note: If the machine and user are both set to use the same VLAN, the computer does not have to switch IPs and the windows logon script works fine.

Thanks

Steve

3 REPLIES
Community Member

Re: PEAP Windows Logon -Machine & User Authentication -Multiple

Hi there.

I've tried that solution, and I had a similar problem. My problem was on the DHCP server side: there was a superscope defined with the different scopes for each VLAN. When I'd the MAC Address from one machine registered at the DHCP database, the settings were always the same. Then I deleted the superscope and only defined scopes for each VLAN. It's working fine now.

Hope this helps you.

Regards,

João

Community Member

Re: PEAP Windows Logon -Machine & User Authentication -Multiple

Hi Steve,

I have a customer would like to implement this solution, and I know that you're deploying the solution and have experience on this, would you mind to share with me about how to implement this?

Thank you in advance.

Rgds,

Au Yeong

Community Member

Re: PEAP Windows Logon -Machine & User Authentication -Multiple

I'm in the middle of this exact problem.

Has anyone gotten this to work?

390
Views
0
Helpful
3
Replies
CreatePlease to create content