Discussion:
802.1x / VLANs / GPO's
(too old to reply)
Timothy Maki
2007-11-19 21:09:00 UTC
Permalink
I am having a problem with setting up 802.1x with dynamic VLANs on our
network. On machines that are not "domain" clients everything works fine but
I run into problems when I try to connect a client that is part of the
domain. When the client tries to log in they get an error message stating
that the domain was unavailable. When I first got this error I decided to
use the machine auth until the client logged in and then have it reauth as
the user. The problem I have with this is that the client is reauthing as
the GPO is applying setting and/or the startup script is still running. When
this happens the client's VLAN and IP change and the "startup" proccess
doesn't complete correctly. Any ideas?
--
Timothy Maki
Network Systems Manager
New Hampton School
"Just because something doesn''t do what you planned it to do doesn''t mean
it''s useless." - Thomas Edison
S. Pidgorny <MVP>
2007-11-20 10:06:23 UTC
Permalink
Do I understand it correctly that your startup script contains code that is
changin IP address of the system when it runs? Startup script processing is
synchronous by default and unless you change this, must finish before user
logon or time out.

Also, in properly designed system reauthentication mustn't change VLAN or
IP. Is that feature someting unique to your environment? I have seen bad
cases of overengineering resulting in effects like this.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Timothy Maki
I am having a problem with setting up 802.1x with dynamic VLANs on our
network. On machines that are not "domain" clients everything works fine but
I run into problems when I try to connect a client that is part of the
domain. When the client tries to log in they get an error message stating
that the domain was unavailable. When I first got this error I decided to
use the machine auth until the client logged in and then have it reauth as
the user. The problem I have with this is that the client is reauthing as
the GPO is applying setting and/or the startup script is still running.
When
this happens the client's VLAN and IP change and the "startup" proccess
doesn't complete correctly. Any ideas?
--
Timothy Maki
Network Systems Manager
New Hampton School
"Just because something doesn''t do what you planned it to do doesn''t mean
it''s useless." - Thomas Edison
Timothy Maki
2007-12-26 16:01:01 UTC
Permalink
The startup script is not changing the IP address. The IP address is being
changed when the user's VLAN is changed due to the 802.1x login process. We
use different VLANS for different user types (ie student vs teacher) to
seperate the traffic.
--
Timothy Maki
Network Systems Manager
New Hampton School
"Just because something doesn''''t do what you planned it to do doesn''''t
mean it''''s useless." - Thomas Edison
Post by S. Pidgorny <MVP>
Do I understand it correctly that your startup script contains code that is
changin IP address of the system when it runs? Startup script processing is
synchronous by default and unless you change this, must finish before user
logon or time out.
Also, in properly designed system reauthentication mustn't change VLAN or
IP. Is that feature someting unique to your environment? I have seen bad
cases of overengineering resulting in effects like this.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Timothy Maki
I am having a problem with setting up 802.1x with dynamic VLANs on our
network. On machines that are not "domain" clients everything works fine but
I run into problems when I try to connect a client that is part of the
domain. When the client tries to log in they get an error message stating
that the domain was unavailable. When I first got this error I decided to
use the machine auth until the client logged in and then have it reauth as
the user. The problem I have with this is that the client is reauthing as
the GPO is applying setting and/or the startup script is still running.
When
this happens the client's VLAN and IP change and the "startup" proccess
doesn't complete correctly. Any ideas?
--
Timothy Maki
Network Systems Manager
New Hampton School
"Just because something doesn''t do what you planned it to do doesn''t mean
it''s useless." - Thomas Edison
gio
2008-02-05 00:54:04 UTC
Permalink
The Authentication EAP type are you using? What Authentication Mode do you
have windows setup as?

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=



Now I have been testing this and hope to go into production this year. Here
are some of the resources I have used to develop my implentation strategy:



1) Deploying Windows Server 2003 Internet Authentication Service (IAS)
with Virtual Local Area Networks (VLANs), Microsoft Corporation Published:
June 2004

2) HP ProCurve Access Control Security Solution Implementation Guide,
July 2004

3) Deployment of IEEE 802.1X for Wired Networks Using Microsoft
Windows, Published: October 2003, Updated: October 2005

4) Build Guide - Implementing the Wireless LAN Security Infrastructure,
Chapter 9: Implementing the Wireless LAN Security Infrastructure, Published:
November 10, 2004 | Updated: November 24, 2004
Post by Timothy Maki
I am having a problem with setting up 802.1x with dynamic VLANs on our
network. On machines that are not "domain" clients everything works fine but
I run into problems when I try to connect a client that is part of the
domain. When the client tries to log in they get an error message stating
that the domain was unavailable. When I first got this error I decided to
use the machine auth until the client logged in and then have it reauth as
the user. The problem I have with this is that the client is reauthing as
the GPO is applying setting and/or the startup script is still running.
When
this happens the client's VLAN and IP change and the "startup" proccess
doesn't complete correctly. Any ideas?
--
Timothy Maki
Network Systems Manager
New Hampton School
"Just because something doesn''t do what you planned it to do doesn''t mean
it''s useless." - Thomas Edison
Loading...