locked
802.1x with machine based VLAN switching RRS feed

  • Question


  •  The company I'm working at has been having extensive group policy issues.  Upon investigation I found that they used 802.1x with VLAN switching based on computer authentication, with DHCP operating in the guest VLAN prior to moving across to the live VLANs.  The articles I read suggested that the problems would be caused by Windows XP being unable to handle switching of VLANs.

    I ran a few tests and determined that under the following conditions the problem went away:

    Disable DHCP on the guest VLAN
    Delete the DHCP lease details from the registry

    The computer would boot up fine, NETLOGON would not start until it had leased an IP address, no errors at all were rebooted during bootup. The key being no errors from NETLOGON.  However if I fail to delete the DHCP lease details from the registry prior to rebooting then the computer would startup trying to use the old IP address, NETLOGON would start prematurely and report no DCs available.

    Is there a registry key that tells Windows XP not to remember the IP it used to have, and it simply startup as if it had no valid lease details from before the previous shutdown?

    If there isn't then it looks like I may have to script something in the shutdown to delete the registry entries relating to DHCP leases so when it powers back on it works correctly and NETLOGON doesn't start until it has a confirmed IP address.

    Thanks for any help on this!

    Michael
    Friday, September 12, 2008 7:38 PM

Answers

  • Hi Michael,

    Please try this solution and let me know if it works for you.

    In the DHCP options on the DHCP server you can configure the client to “Release DHCP lease on Shutdown”. Should work for XP & W2k clients.

    • In your DHCP scope, under Server Options, Configure Options, Advanced tab
    • Select Microsoft Options in the Vendor Class
    • Select option 002

    The above will only work if APIPA is disabled on the client machines:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<adapter name>

    In this registry key, create DWORD Value: IPAutoconfigurationEnabled with HEX value of 0

    After the changes, restart the computer for the new settings to take effect.

    There is also a registry key for this if Microsoft DHCP is not used.

    [HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\<adapter_guid>]

    Create DWORD Value here: ReleaseOnShutdown with HEX value of 1

    Again, APIPA must be disabled on the XP machines for the ReleaseOnShutdown key to
    work.

    The behavior for different values of ReleaseOnShutdown are:

    • 0 (RELEASE_ON_SHUTDOWN_NEVER) - don't release the lease on shutdown
    • 2 (RELEASE_ON_SHUTDOWN_OBEY_DHCP_SERVER) - release or leave the lease depending on what the server instructed (OPTION_MSFT_VENDOR_FEATURELIST:BIT_RELEASE_ON_SHUTDOWN).
    • Anything else (RELEASE_ON_SHUTDOWN_ALWAYS) - release the lease on shutdown

    If the reg key is missing, it defaults to RELEASE_ON_SHUTDOWN_OBEY_DHCP_SERVER.

    -Greg

    Wednesday, September 17, 2008 7:59 PM

All replies

  • Hi Michael,

    I will look into this for you. There is a thread where Jeff Sigman provided some registry keys that might help. Can you give these a try (provided below)?

    For Ethernet:

    [HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\DhcpGlobalForceBroadcastFlag\0] "0"=dword:00000001


    For Wireless adapter:

    [HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\DhcpGlobalForceBroadcastFlag\0] "1"=dword:00000001

    Thanks,
    -Greg

    Saturday, September 13, 2008 4:39 PM
  • Hi Michael,

    Please try this solution and let me know if it works for you.

    In the DHCP options on the DHCP server you can configure the client to “Release DHCP lease on Shutdown”. Should work for XP & W2k clients.

    • In your DHCP scope, under Server Options, Configure Options, Advanced tab
    • Select Microsoft Options in the Vendor Class
    • Select option 002

    The above will only work if APIPA is disabled on the client machines:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<adapter name>

    In this registry key, create DWORD Value: IPAutoconfigurationEnabled with HEX value of 0

    After the changes, restart the computer for the new settings to take effect.

    There is also a registry key for this if Microsoft DHCP is not used.

    [HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\<adapter_guid>]

    Create DWORD Value here: ReleaseOnShutdown with HEX value of 1

    Again, APIPA must be disabled on the XP machines for the ReleaseOnShutdown key to
    work.

    The behavior for different values of ReleaseOnShutdown are:

    • 0 (RELEASE_ON_SHUTDOWN_NEVER) - don't release the lease on shutdown
    • 2 (RELEASE_ON_SHUTDOWN_OBEY_DHCP_SERVER) - release or leave the lease depending on what the server instructed (OPTION_MSFT_VENDOR_FEATURELIST:BIT_RELEASE_ON_SHUTDOWN).
    • Anything else (RELEASE_ON_SHUTDOWN_ALWAYS) - release the lease on shutdown

    If the reg key is missing, it defaults to RELEASE_ON_SHUTDOWN_OBEY_DHCP_SERVER.

    -Greg

    Wednesday, September 17, 2008 7:59 PM
  • Thank you for your responses, sorry for the slow response I was off work last week.  I tried the first option already, but it did not appear to fix the problem.  The second suggestion looks very promising, I was hunting all over for that sort of information, you should make it a KB article!

    I'm off to try these changes in our environment

    Thanks again.

    Michael
    Monday, September 22, 2008 11:22 AM
  • The pure registry key based change looks good, I got a couple of DHCP warnings - but no word from NETLOGON failing to locate a domain controller like before!

    One question I have is, if someone say changes a system board or deletes the adaptor out of device manager, will the setting persist?  Or will I have to recreate it?  I'm not sure how I can make it persistent given that without it group policy does work correctly and startup scripts typically fail to run.....
    Monday, September 22, 2008 6:25 PM