Switches, Hubs, and Modems
1745809 Members
3749 Online
108722 Solutions
New Discussion юеВ

802.1x Problem on Remote Site

 
Alen Ahja
Frequent Advisor

802.1x Problem on Remote Site

Hi Everyone,

I have a strange Problem at a Remote Site.
It's a Branch Office with only one 2610-48-PWR Switch.

The Win XP Clients (with SP3) and the Users are successfully authenticated at the Windows IAS Server and the IDM but the Network Port seems not be change into the right VLAN so that the Clients won't get an IP-Address via DHCP.

If I put static IP-Address to the Client and try to ping Ressources from the right VLAN the will be timed out. So the Client wille be in the wrong VLAN.

This behavior occured also on the AP530 Access Point at this site.

I tested the RADIUS Authentication and get all right informations for the User. So it might be something between the RADIUS Server and the Remote Site I think.

I hope you can help me. Thanx.

Alen
13 REPLIES 13
cenk sasmaztin
Honored Contributor

Re: 802.1x Problem on Remote Site

hi Alen please send me sh run print
cenk

cenk sasmaztin
Honored Contributor

Re: 802.1x Problem on Remote Site

and can you see about authentication any log on switch or IAS server
cenk

cenk sasmaztin
Honored Contributor

Re: 802.1x Problem on Remote Site

if you can see authentication successfull but not dhcp assign ip address to client

check
ip helper address command on switch

check
config)# sh vlans ports xxx
with command port vlan status

check
remote active directory rule (in radius service)for user or user group rule






cenk

Alen Ahja
Frequent Advisor

Re: 802.1x Problem on Remote Site

Hi,

I attached you the # sh run Output.

The IAS Server Log said, that the User was granted, so the authentication will be successfully.

The IP-Helper on the switch is not active because it's not a routing switch. I installed a DHCP Relay on the Firewall wich works fine for the Guests-VLAN.

# sh vlans ports xxx cannot check at the moment because I am back in the Headquarter.

I can check the same issue next week at a another Branch Office.

Alen
cenk sasmaztin
Honored Contributor

Re: 802.1x Problem on Remote Site

I can see two radius server

I think one radius server headquarter residing and one radius server residing branch office


where is residing dhcp server/servers
cenk

cenk sasmaztin
Honored Contributor

Re: 802.1x Problem on Remote Site

if you can send me all topology layout
and all switch sh run print

I check all config for you
cenk

Alen Ahja
Frequent Advisor

Re: 802.1x Problem on Remote Site

Both RADIUS Server are in the Headquarter.

Here the Topology Layout


AP530 --> 2610-48-PWR --> Firewall Branch

Firewall Branch --> VPN --> Firewall HQ

Firwa├Г┬╢├Г┬╢ HQ --> IAS1 / IAS2
Pieter 't Hart
Honored Contributor

Re: 802.1x Problem on Remote Site

IAS has two default policies "Microsoft RRAS" and "other RAS".
if the microsoft policiy has been changed from the default settings, sometimes the wrong policy is used

see http://technet.microsoft.com/en-us/library/cc786978.aspx search for "third party"

reset the microsoft RRAS policy to the defaults (or maybe change policy order or even delete).

hope this helps
Pieter
Alen Ahja
Frequent Advisor

Re: 802.1x Problem on Remote Site

Hi Pieter,

no the RADIUS Server will work fine.
I tested it yesterday in the Headquarter.

The authentication is correct and the VLAN's on the switches in the HQ were also set correctly but not at the Branch Office Side :(