1753437
Members
4841
Online
108794
Solutions
Hello there,
About three months ago the company I work for went through a network segmentation project. We also implemented wired Dot1x. Since the implementation we've been experiencing endless login issues on the domain. It is totally unpredictable, it works on one start-up and then not at the next.
Our clients are XP SP3 (Wired AutoConfig is started) on a Windows 2008 native domain. The radius server is Windows 2008 NPS and the switches we use are 3Com (5500-EI Software Version 3Com OS V3.03.02s168ep10). DHCP scopes on all VLAN's. Not that I think this is worth mentioning, but the NPS server is virtualised.
This is what we want to achieve:
1) XP client boots up. If it is a valid domain client it must machine auth into the 200 VLAN. If the client is unknown, it should fail into the guest VLAN(252).
2) When the user logs in. If the user is a valid domain user it must user auth into the 200 VLAN. If the user is a local user on the client, it must fail the client into the guest VLAN(252).
Also to mention we have Mitel Phone handsets and use the phone's switch for the client machines to connect to the network. (Radius <--> 3Com Switch <--> Mitel Phone (with switch) <--> XP Client) Phones end up in VLAN 16, but for this test I omitted the Phone, since the client machine auth fails with or without the phone connected.
We have also tested different hardware/OS builds to prove it's not a build/hardware issue.
From the switch config below you will notice that we use "dot1x dhcp-launch", but I've also tested without this setting. I've also tested "dot1x unicast-trigger", but although the XP clients appear to have more success, the unauthorised clients don't end up in the guest VLAN. The switch port just stay's shut.
#********************************************************************
SWITCH CONFIG:
display current-configuration
#
sysname PH-Edge2
#
radius nas-ip 172.16.1.3
#
local-server nas-ip 127.0.0.1 key *******
#
domain default enable bogus.com
#
poe legacy enable
#
lldp enable
lldp timer tx-interval 5
#
port-security enable
port-security trap addresslearned
#
igmp-snooping enable
#
#
dot1x timer tx-period 5
dot1x timer supp-timeout 10
dot1x timer reauth-period 120
dot1x dhcp-launch
dot1x authentication-method eap
dot1x supp-proxy-check trap
dot1x supp-proxy-check logoff
undo dot1x handshake enable
#
MAC-authentication domain bogus.com
#
radius scheme system
radius scheme BOGUS-Radius-Scheme
server-type extended
primary authentication 172.16.4.5
primary accounting 172.16.4.5
secondary authentication 172.16.4.6
secondary accounting 172.16.4.6
accounting optional
key authentication *******
key accounting *******
nas-ip 172.16.1.3
#
domain bogus.com
scheme lan-access radius-scheme BOGUS-Radius-Scheme
scheme login local
accounting lan-access radius-scheme BOGUS-Radius-Scheme
vlan-assignment-mode string
domain system
#
stp mode rstp
stp instance 0 priority 16384
#
#
vlan 1
name management
#
vlan 4
name Servers-and-Printers
igmp-snooping enable
#
vlan 8
name Desktops
igmp-snooping enable
#
vlan 16
name VOIP Vlan
igmp-snooping enable
#
vlan 252
name Guest-Limited-Access
igmp-snooping enable
#
#********************************************************************
Port Setting:
interface Ethernet3/0/15
poe enable
stp edged-port enable
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 16 252
port trunk pvid vlan 252
broadcast-suppression pps 3000
undo jumboframe enable
undo voice vlan mode auto
voice vlan enable
port-security max-mac-count 5
port-security port-mode userlogin-secure-or-mac
port-security guest-vlan 252
dot1x max-user 2
dot1x re-authenticate
apply qos-profile BOGUS-qos
#********************************************************************
After failed bootup registered mac:
display mac-address interface Ethernet 3/0/15
Unit 2
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0022-1917-2f83 252 Learned Ethernet3/0/15 AGING
--- 1 mac address(es) found on port Ethernet3/0/15 ---
#********************************************************************
Errors in the NPS event viewer logs:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: 00-22-19-17-2f-83@bogus.com
Account Domain: BOGUS
Fully Qualified Account Name: BOGUS\00-22-19-17-2f-83@bogus.com
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 0022-1917-2f83
NAS:
NAS IPv4 Address: 172.16.1.3
NAS IPv6 Address: -
NAS Identifier: 00186e4bd142
NAS Port-Type: Ethernet
NAS Port: 50393340
RADIUS Client:
Client Friendly Name: BOGUSHouse-Edge2
Client IP Address: 172.16.1.3
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: BOGUSRA01.bogus.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
#********************************************************************
#********************************************************************
After successful bootup registered mac:
display mac-address interface Ethernet 3/0/15
Unit 2
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0022-1917-2f83 200 Learned Ethernet3/0/15 AGING
0022-1917-2f83 252 Learned Ethernet3/0/15 AGING
--- 2 mac address(es) found on port Ethernet3/0/15 ---
#********************************************************************
Success in the NPS event viewer logs:
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: BOGUS\BOGUS-PC018$
Account Name: host/BOGUS-pc018.bogus.com
Account Domain: BOGUS
Fully Qualified Account Name: bogus.com/NewStructure/IT/Computers/Desktops/BOGUS-PC018
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 0022-1917-2f83
NAS:
NAS IPv4 Address: 172.16.1.3
NAS IPv6 Address: -
NAS Identifier: 00186e4bd142
NAS Port-Type: Ethernet
NAS Port: 50393288
RADIUS Client:
Client Friendly Name: BOGUSHouse-Edge2
Client IP Address: 172.16.1.3
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Dot1x-Access-To-BOGUS-Support-PC's Vlan 200
Authentication Provider: Windows
Authentication Server: BOGUSRA01.bogus.com
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
#********************************************************************
#********************************************************************
The failed NPS event entry tries PAP authentication with user: 00-22-19-17-2f-83@bogus.com. The successful NPS event entry succeeded with PEAP with user: host/BOGUS-pc018.bogus.com.
WeтАЩre currently at the stage were weтАЩre considering dropping Dot1x and moving to manual port control, but thought weтАЩd give a few forums a go to see if someone has some suggestions. Any help or ideaтАЩs are welcome.
Thanks,
Jason
This message was edited by hpc-itsupport on 8-27-10 @ 5:45 AM
Hi Fred,
Thank you for the input. I implemented your suggestion and although it works - just like the ports configured as Trunk ports, it fails fairly regularly. I have posed the question to the consulting company that implemented our solution. I just can't believe they'd make such a mistake and can only think they had a valid reason to have the ports configured as Trunk ports. I will update the thread with their response.
Either way, I think I made some headway with the issue. From the "failed.pcap" picture above, you'll notice that the first two DHCP Requests, are followed by a "Eapol start". Although the client and switch started the process, the client interrupts it with the second Eapol start. The switch fails it into the guest VLAN and the client gets an IP address in this VLAN. Since the client has an IP, it does no more DHCP and thus with the "dot1x dhcp-launch" configured, the client stays in this VLAN. A short lease will help, but the clients will have tried to log in before they get into the user VLAN.
Here is what I did:
1) On the switch "undo dot1x dhcp-launch"
2) On the XP client I set the dot1x supplicant mode to "includeLearning" (The client determines when to send EAPOL-Start packets based on network capability. EAPOL-Start messages are only sent when required. Valid for wired LAN profiles only.)
1) On the switch "undo dot1x dhcp-launch"
2) On the XP client I set the dot1x supplicant mode to "includeLearning" (The client determines when to send EAPOL-Start packets based on network capability. EAPOL-Start messages are only sent when required. Valid for wired LAN profiles only.)
This got rid of the second Eapol start that broke the process previously. See screenshot:
Since all my clients have not yet received the GPO that sets the supplicant mode, I still had login issues today. I will update the thread tomorrow with the results.
Regards,
Jason