HPE Community
Switches, Hubs, and Modems
1753831 Members
9408 Online
108806 Solutions
New Discussion юеВ

Re: 802.1x authentication issues

 
SOLVED
Go to solution
procurvenewbee
Frequent Advisor

тАО04-17-2007 01:59 PM

тАО04-17-2007 01:59 PM

802.1x authentication issues

I have a 3548 switch set up for 802.1x. Supplicants are windows xp sp2, set up to peap, mschapv2, authenticating via IAS. Works fine for the user who was using the same machine before switch port was set up to 802.1x. If another user (who has never logged in to this machine earlier), from another Windows AD group, tries to log in, he gets domain not availble message/ The problem seems to be that when main user logs off, the switch never drops the dynamic VLAN on the port or probably keep the session open. Will not logging off on windows machine, trigger 802.1x
session ending and hence switch port going back to open state, so that next person trying to log in, will start a new 802.1x autentication session?

In this scenario, a third user, who also never logged on to this machine ever, but belonging to same windows AD group (and hence IAS supplying same VLAN ID as the main user of machine), can log in fine.

Thanks
0 Kudos
5 REPLIES 5
Matt Hobbs
Honored Contributor

тАО04-17-2007 03:55 PM

тАО04-17-2007 03:55 PM

Solution

Re: 802.1x authentication issues

By default, XP does not end the 802.1x session when a user logs off.

There a two registry changes you need to make to ensure that it starts and ends the session properly.

http://archives.neohapsis.com/archives/sf/ms/2005-q3/0109.html

Set the SupplicantMode registry to 3 and the AuthMode registry to 1

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
Mohieddin Kharnoub
Honored Contributor

тАО04-17-2007 03:56 PM

тАО04-17-2007 03:56 PM

Re: 802.1x authentication issues

Hi

The default log off period the switch waits for
client activity before removing an inactive client from the port is 5 minutes (300 sec), and that can be set by the option: aaa port-access authenticator < port-list > [logoff-period]< 1 - 999999999 >

One more thing, the re-auth period which is the time after which clients connected must be re-authenticated is by default 0 sec (means disabled), so you can try enable it by the option:
aaa port-access authenticator < port-list > [reauth-period < 0 - 9999999 >]

Also, if you are trying to do that with one port on the switch, then you have a Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access.

A client using the Unauthenticated-Client VLAN will be blocked when another client becomes authenticated on the port.
For this reason, the best utilization of the Unauthorized-Client VLAN feature is in instances where only one client is allowed per-port.

Good Luck !!!
Science for Everyone
procurvenewbee
Frequent Advisor

тАО04-18-2007 05:29 AM

тАО04-18-2007 05:29 AM

Re: 802.1x authentication issues

Thanks Folks. I will test these fixes and will get back tonight with results and of course points for your support.
0 Kudos
Jaguar
Occasional Advisor

тАО07-13-2007 01:25 AM

тАО07-13-2007 01:25 AM

Re: 802.1x authentication issues

Hi procurvenewbee,

I'm facing the same situation as yours. Did you managed to resolve your issue?

In my scenario, if a new user logs-in (regardless of which windows group), there will be domain not available message. I have already configured what Matt suggested and still no luck.

If you have resolve your issue, would you mind sharing?
0 Kudos
procurvenewbee
Frequent Advisor

тАО07-18-2007 09:26 AM

тАО07-18-2007 09:26 AM

Re: 802.1x authentication issues

No I did not find time to look into this issue.

I plan to test this:

aaa port-access authenticator 1-44 logoff-period 60
aaa accounting update periodic 1
aaa accounting network start-stop radius
aaa accounting exec start-stop radius aaa accounting system start-stop radius

You should also create machine accounts in the same VLAN/AD group as the user accounts as Windows XP does not support authenticating machine and user into different VLANs.

Good Luck.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.