Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x authentication issues

SOLVED
Go to solution
procurvenewbee
Frequent Advisor

802.1x authentication issues

I have a 3548 switch set up for 802.1x. Supplicants are windows xp sp2, set up to peap, mschapv2, authenticating via IAS. Works fine for the user who was using the same machine before switch port was set up to 802.1x. If another user (who has never logged in to this machine earlier), from another Windows AD group, tries to log in, he gets domain not availble message/ The problem seems to be that when main user logs off, the switch never drops the dynamic VLAN on the port or probably keep the session open. Will not logging off on windows machine, trigger 802.1x
session ending and hence switch port going back to open state, so that next person trying to log in, will start a new 802.1x autentication session?

In this scenario, a third user, who also never logged on to this machine ever, but belonging to same windows AD group (and hence IAS supplying same VLAN ID as the main user of machine), can log in fine.

Thanks
5 REPLIES
Matt Hobbs
Honored Contributor
Solution

Re: 802.1x authentication issues

By default, XP does not end the 802.1x session when a user logs off.

There a two registry changes you need to make to ensure that it starts and ends the session properly.

http://archives.neohapsis.com/archives/sf/ms/2005-q3/0109.html

Set the SupplicantMode registry to 3 and the AuthMode registry to 1

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
Mohieddin Kharnoub
Honored Contributor

Re: 802.1x authentication issues

Hi

The default log off period the switch waits for
client activity before removing an inactive client from the port is 5 minutes (300 sec), and that can be set by the option: aaa port-access authenticator < port-list > [logoff-period]< 1 - 999999999 >

One more thing, the re-auth period which is the time after which clients connected must be re-authenticated is by default 0 sec (means disabled), so you can try enable it by the option:
aaa port-access authenticator < port-list > [reauth-period < 0 - 9999999 >]

Also, if you are trying to do that with one port on the switch, then you have a Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access.

A client using the Unauthenticated-Client VLAN will be blocked when another client becomes authenticated on the port.
For this reason, the best utilization of the Unauthorized-Client VLAN feature is in instances where only one client is allowed per-port.

Good Luck !!!
Science for Everyone
procurvenewbee
Frequent Advisor

Re: 802.1x authentication issues

Thanks Folks. I will test these fixes and will get back tonight with results and of course points for your support.
Jaguar
Occasional Advisor

Re: 802.1x authentication issues

Hi procurvenewbee,

I'm facing the same situation as yours. Did you managed to resolve your issue?

In my scenario, if a new user logs-in (regardless of which windows group), there will be domain not available message. I have already configured what Matt suggested and still no luck.

If you have resolve your issue, would you mind sharing?
procurvenewbee
Frequent Advisor

Re: 802.1x authentication issues

No I did not find time to look into this issue.

I plan to test this:

aaa port-access authenticator 1-44 logoff-period 60
aaa accounting update periodic 1
aaa accounting network start-stop radius
aaa accounting exec start-stop radius aaa accounting system start-stop radius

You should also create machine accounts in the same VLAN/AD group as the user accounts as Windows XP does not support authenticating machine and user into different VLANs.

Good Luck.