Comware Based
1748126 Members
3058 Online
108758 Solutions
New Discussion

802.1x and Windows roaming profiles

 
Breuk230
Occasional Contributor

802.1x and Windows roaming profiles

Hi,

 

Currently I'm working on a 802.1x implementation. we are using 5800 switches, Windows 2008 NPS and Windows 7 clients. 802.1x is working fine also with a phone in between. So far so good.

Both user and machine authentication are used. User will be placed in another VLAN during logon. This works ok and is needed because the customer has several groups.

 

Ths customer works with roaming profiles, during startup this profile loads ok.

When the users logoffs, the roaming profile is not synchronised completely, which is shown by the client. after next logon the client shows that the roaming profile has problems. This happens when the client logout and goes from user to machine authentication.

Have updatet the Windows 7 client with the latest hotfixes for 802.1x and saw some improvement. However now it is intermittent. Best results are not swapping VLAN's.

 

Now my question is, have anyone seen or implemented this before? If so how have you solved it?

I found on the Internet several topics about this where they say not to use user authentication but only machine authentication. However the customer needs userauthentication so no a real option.

 

As far as I know, it is poosible to assign dynamic ACL's on the 5800 switches. Maybe this is a solution to give some users different rights in the network compared to others. Unfortunatley I cannot find a proper document which descibes this in detail and how to implement. Can anyone help me with this?

 

  • What is necessary for this to implement dynamic ACL's?
  • Can this be done with the Windows NPS 2008 or is IMC, UAM and EAD needed?
  • Or configure the ACL on the switch and after that assign it via a Radius policy from NPS? If so, what vendor specific attributes are needed?

 

If you need more information about the configuration or anything else, please let me know?

 

Thanks in advance.

 

regards André