none
802.1x dynamic vlan - changing user doesn't change the vlan

    Question

  • Hi,

    I'm trying to get 802.1x dynamic vlan working. The idea is that when IT people are logging in the computer that it gets vlan 50 which works, but when the IT person is logging of the switchport is still authorized and in vlan 50. I was hoping that it would unauthorize the port and when for example someone from sales is logging in that it would have vlan 20, but what really happens is that it's still in vlan 50.
    When I unauthorize the port manually and login as a sales person than it changes the vlan to 20.

    The Wired autoconfig service has been changed to automatically and I also added a GPO object for the "Wireless Network (IEEE 802.11) Policies".

    It seems that when a user is logging off that it won't send the EOPOL Logoff message to the switch.
    I can't seem to find out how to force this.

    Am I missing a config somewhere on the NPS or GPO?

    Wednesday, May 30, 2018 10:24 AM

All replies

  • Hi,

    Thanks for your question.

    In order to use network policy to assign users to a VLAN, you need to use VLAN-aware network hardware. It appears that your device supports to create VLANs. Generally, unmanaged switches will not support Dynamic VLAN with NPS.

    For more detailed information about configuration, please refer to the following article. Hope it helps.

    Configure a Network Policy for VLANs

    http://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(v=ws.10).aspx

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, June 04, 2018 1:15 PM
  • Hi Michael,

    Thank you for your reply.

    We use a Cisco Catalyst 2960-X which is a managed switch.
    The Dynamic Vlan part does work because when I reset the authorization of the port, so that it is back to an unauthorized state, and I login with a different user that has another vlan configured, it works.

    The main problem that I'm having is that when I log out, it should unauthorize the port and remove the vlan. When I login with another account it should authorize it again by sending an EOPOL-start message, but in my current case it's still authorized with the credentials of the user before.

    I'm guessing that I still need to do something on the Windows side, but can't figure out what part I'm missing.

    Best Regards,

    Jonathan

    Monday, June 04, 2018 1:38 PM
  • Hi,

    Here is an article talked about Configuring Network Access Devices based on certification with Windows NPS anthentication for your reference. You may check this setting for NPS is correct. Hope this helps.

    http://dailysysadmin.com/KB/Article/690/configure-802-1x-certificate-based-authentication-meraki-wireless-access-points-microsoft-nps-authentication/

    If you have questions and concerns, please don't hesitate to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, June 06, 2018 2:18 PM
  • Hi,

    How are things going on? Was the issue resolved?

    Please let uw know if you would like further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, June 12, 2018 3:30 PM
  • Hi Michael,

    The funny thing is that we implemented some Meraki AP's with 802.1x authentication and this works.

    We are now trying to do the same thing for our cable network. The config on the NPS seems to be good.
    The real problem that we are facing now is that when a user logs off the device is still authenticated. This means that a user who isn't in the correct group can still have access.

    Status Quo:

    NPS is configured to allow IT people on the LAN. Arnold from IT is logging in to the computer and has access to the LAN. When he is done with his work he sings out of the system. Samantha from sales logs on the same computer after 5 minutes and even though she shoudn't have access to the LAN, she is able to access it.

    Should be:

    NPS is configured to allow IT people on the LAN. Arnold from IT logs into the computer and like before he signs out after he has done his work. When Samantha tries to log on the computer she doesn't get any network access because she isn't part of the group IT.

    It seems that when Arnold logs out of the computer that he doesn't de-authenticate the port that the computer is on.

    Best Regards,

    Jonathan

    Tuesday, June 12, 2018 5:53 PM