topic Re: 802.1x Problem on Remote Site in Switches, Hubs, and Modems

802.1x Problem on Remote Site

Alen Ahja — Sat, 01 Nov 2008 14:48:46 GMT

Hi Everyone,

I have a strange Problem at a Remote Site.
It's a Branch Office with only one 2610-48-PWR Switch.

The Win XP Clients (with SP3) and the Users are successfully authenticated at the Windows IAS Server and the IDM but the Network Port seems not be change into the right VLAN so that the Clients won't get an IP-Address via DHCP.

If I put static IP-Address to the Client and try to ping Ressources from the right VLAN the will be timed out. So the Client wille be in the wrong VLAN.

This behavior occured also on the AP530 Access Point at this site.

I tested the RADIUS Authentication and get all right informations for the User. So it might be something between the RADIUS Server and the Remote Site I think.

I hope you can help me. Thanx.

Alen

Re: 802.1x Problem on Remote Site

cenk sasmaztin — Sat, 01 Nov 2008 15:39:04 GMT

hi Alen please send me sh run print

Re: 802.1x Problem on Remote Site

cenk sasmaztin — Sat, 01 Nov 2008 15:40:46 GMT

and can you see about authentication any log on switch or IAS server

Re: 802.1x Problem on Remote Site

cenk sasmaztin — Sat, 01 Nov 2008 16:04:58 GMT

if you can see authentication successfull but not dhcp assign ip address to client

check
ip helper address command on switch

check
config)# sh vlans ports xxx
with command port vlan status

check
remote active directory rule (in radius service)for user or user group rule

Re: 802.1x Problem on Remote Site

Alen Ahja — Sun, 02 Nov 2008 11:07:07 GMT

Hi,

I attached you the # sh run Output.

The IAS Server Log said, that the User was granted, so the authentication will be successfully.

The IP-Helper on the switch is not active because it's not a routing switch. I installed a DHCP Relay on the Firewall wich works fine for the Guests-VLAN.

# sh vlans ports xxx cannot check at the moment because I am back in the Headquarter.

I can check the same issue next week at a another Branch Office.

Alen

Re: 802.1x Problem on Remote Site

cenk sasmaztin — Mon, 03 Nov 2008 06:18:00 GMT

I can see two radius server

I think one radius server headquarter residing and one radius server residing branch office

where is residing dhcp server/servers

Re: 802.1x Problem on Remote Site

cenk sasmaztin — Mon, 03 Nov 2008 06:33:32 GMT

if you can send me all topology layout
and all switch sh run print

I check all config for you

Re: 802.1x Problem on Remote Site

Alen Ahja — Mon, 03 Nov 2008 08:21:34 GMT

Both RADIUS Server are in the Headquarter.

Here the Topology Layout

AP530 --> 2610-48-PWR --> Firewall Branch

Firewall Branch --> VPN --> Firewall HQ

FirwaÃ¶Ã¶ HQ --> IAS1 / IAS2

Re: 802.1x Problem on Remote Site

Pieter 't Hart — Mon, 03 Nov 2008 08:28:27 GMT

IAS has two default policies "Microsoft RRAS" and "other RAS".
if the microsoft policiy has been changed from the default settings, sometimes the wrong policy is used

see http://technet.microsoft.com/en-us/library/cc786978.aspx search for "third party"

reset the microsoft RRAS policy to the defaults (or maybe change policy order or even delete).

hope this helps
Pieter

Re: 802.1x Problem on Remote Site

Alen Ahja — Mon, 03 Nov 2008 08:30:03 GMT

Hi Pieter,

no the RADIUS Server will work fine.
I tested it yesterday in the Headquarter.

The authentication is correct and the VLAN's on the switches in the HQ were also set correctly but not at the Branch Office Side :(

Re: 802.1x Problem on Remote Site

Pieter 't Hart — Mon, 03 Nov 2008 10:19:43 GMT

Where is the dhcp-server connected (probably local servers SRV#1 SRV#2 ?, I see no ip-helper configured)

is a different vlan used at the HQ?
if so is this vlan assigned by the radius server?

see "VLAN Membership Priorities" P11-30 in
http://cdn.procurve.com/training/Manuals/2610-Security-Dec2007-59918642.pdf

suggestion : try test with local user.
password port-access user-name Jim secret3
aaa authentication port-access local

Re: 802.1x Problem on Remote Site

cenk sasmaztin — Mon, 03 Nov 2008 13:09:52 GMT

you have four vlan
vlan 1 managemet
vlan 1008 voip vlan
vlan 1009 office vlan
vlan 1007 guest vlan

Ä± want dynamical assign vlan member each vlan with 802.1x
(only vlan 1008 for voip device static)

ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1-34,41,50
ip address 172.16.1.4 255.255.255.0
no untagged 35-40
ip igmp high-priority-forward
exit
vlan 1008
name "VoIP"
untagged 35-40
ip address 172.16.2.4 255.255.255.0
qos priority 6
voice
ip igmp high-priority-forward
exit
vlan 1009
name "Office"
ip address 172.16.3.4 255.255.255.0
ip helper address (dhcp server address)
exit
vlan 1007
name "Guests"
ip address 172.16.5.4 255.255.255.192
ip helper address (dhcp server address)
exit
ip routing 0.0.0.0 0.0.0.0 172.16.1.5 *********this address firewall lan ip
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server host key
radius-server host

aaa port-access authenticator 30
aaa port-access authenticator 30 reauth-period 300
aaa port-access authenticator 30 unauth-vid 1007
aaa port-access authenticator 30 client-limit 1
aaa port-access authenticator active
aaa port-access 30

interface 30 resiade vlan 1 untagged member
when to take radius authentication packet this port dynamically change vlan status

you have to create redius active directory rules in radius servis for all domain users

for vlan 1009 office users
important 3 attribute
tunnel medium type ---radius standart---802 includes all....
tunnel pvd group id---radius standart--1009 (this number very important because definition vlan)
tunnel type-----------radius standart--virtual lans (vlan)

each domain user connect any port(except int 35-40)assign to dynamically vlan 1009

other user (nondomain)want connect any port (except int 35-40)assign to dynamically vlan 1007

create for vlan 1009 and 1007 dhcp scobe on dhcp server

scobe 1
name forvlan1009
ip range 172.16.3.10.....50
subnet mask 255.255.255.0
default route 172.16.3.4

scobe 2
name forvlan1007
ip range 172.16.5.10.....50
subnet mask 255.255.255.0
default route 172.16.5.4

please watch this video
http://www.dosya.tc/802.1x_dynamicvlan.rar.html

Re: 802.1x Problem on Remote Site

Alen Ahja — Tue, 04 Nov 2008 20:21:20 GMT

Hi Thanx for your config, but I don't want that switch routes everything. The Frewall will plays DHCP Relay.

On which VLAN will be the client did the 802.1x request ?

Re: 802.1x Problem on Remote Site

Alen Ahja — Wed, 05 Nov 2008 19:59:45 GMT

Hi at all,

I found the solution for the problem.
The main problem was the Framed MTU Size. The Microsoft KB Article 883389 (http://support.microsoft.com/kb/883389/en-us) described how to reduced the EAP packet size.

I say thank to all which tries to help.

Alen