locked
(NPS) Problems with changing VLAN RRS feed

  • Question

  • This is our situation, for the test scenario we used the same setting as the step-by-step guide.
    http://www.microsoft.com/en-us/download/details.aspx?id=733

    1 Switch (D-link DGS-3324SR) 192.168.0.3
    2 Clients (windows 7) 192.168.0.100 & 192.168.0.101
    1 NPS server (Windows 2008 R2) 192.168.0.2
    1 AD (Windows 2003) 192.168.0.1

    But if one client is compliant and the other one is not, i can still ping each other. I configured the switch so the VLANs cannot ping each other when they're connected to different VLANs.
    I tested this by connecting Client1 on an untagged port on VLAN2 en Client2 connected to an untagged port on VLAN3. If i don't make use of NPS pinging is not possible, when using NPS pinging is possible. So therefore i think the VLAN switching is not correct.

    Like i said, i followed the MS step-by-step guide.
    For testing i made three VLAN's
    1 default
    2 compliant
    3 non-compliant

    I connected all servers and clients to VLAN 1 (untagged).

    If a Client is compliant to the policy it must go to VLAN 2, if not go to VLAN 3.
    The settings are the same as the test lab guide.
    If i turn off the firewall it show the message the limited network access is possible, which is the correct message.
    Authentication is also correct, because i don't have access if i don't fill in username/password.

    Does anyone have any idea why our setup doesn't work?

    Thanks in advance!

    Wednesday, May 30, 2012 1:05 PM

Answers

  • Thanks for answers and suggestions. The solution is pretty stupid though.

    This switch doesn't support dynamic vlan switching.

    After a couple of hours struggeling and sniffing network packages i tried another switch (D-Link DGS-3120-24TC), and it worked immediately. Then i looked up the specifications of this switch and there was nothing mentioned about dynamic vlan switching.

    • Marked as answer by R_B_O Friday, June 1, 2012 11:42 AM
    Friday, June 1, 2012 11:41 AM

All replies

  • Hi,

    From your description, it appears that the client computer was evaluated as non-nap-capable, but it is not assigns to the right VLAN. Please check the VLAN attributes settings of network policy. For more information, you may refer to the following article.

    VLAN Attributes Used in Network Policy

    http://technet.microsoft.com/en-us/library/cc754422(v=ws.10).aspx

    Configure a Network Policy for VLANs

    http://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx

    Troubleshooting NAP Problems

    http://technet.microsoft.com/en-us/library/dd348446(v=ws.10).aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, June 1, 2012 2:39 AM
  • Hi,

    I assume the switch has a command line interface. To troubleshoot this sort of problem you must issue a "show vlan" command and verify that the client computers are successfully moving to the correct VLANs.

    It sounds like you've eliminated the possibility that inter-VLAN routing is enabled since you can't ping when you statically move a client to a different VLAN. The dynamic VLAN swapping might not be working either due to a misconfiguration in policies on NPS, or settings on the switch, or due to a lack of support on the switch for RADIUS tunnel attributes.

    I am guessing that all your clients are staying on VLAN 1 and none of them are moving to VLAN 2 or 3 dynamically. The most likely explanation is a mistake in switch configuration for the VLANs.

    -Greg

    • Marked as answer by R_B_O Friday, June 1, 2012 11:42 AM
    • Unmarked as answer by R_B_O Friday, June 1, 2012 11:42 AM
    Friday, June 1, 2012 8:15 AM
  • Thanks for answers and suggestions. The solution is pretty stupid though.

    This switch doesn't support dynamic vlan switching.

    After a couple of hours struggeling and sniffing network packages i tried another switch (D-Link DGS-3120-24TC), and it worked immediately. Then i looked up the specifications of this switch and there was nothing mentioned about dynamic vlan switching.

    • Marked as answer by R_B_O Friday, June 1, 2012 11:42 AM
    Friday, June 1, 2012 11:41 AM