locked
802.1x, dynamic VLANs, roaming profiles (NAP on Server 2008, Win 7 Clients) RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi!

    I have a problem implementing 802.1x authentication in a LAN.

    Target:
    Hosts and users should be authenticated by a Radius Server. According to the user / machine group, the port on the Switch should be changed to the corresponding VLAN. The Client PCs are in the domain and roaming profiles are used.


    Radius Server: MS Server 2008 R2
    Client: MS Windows 7
    Switch: Cisco Catalyst 3560


    Steps that are working so far:
    1. Switchport is programmed to access a very restricted VLAN
    2. After the PC is authenticated, it is moved to a less restricted VLAN, where the domain controller can be reached
    3. User logon
    3a. Radius Server authenticates the user
    3b. VLAN on Switch is changed
    3c. Roaming profile is loaded


    The above steps work fine, but at the logoff a problem occurs:
    1. user (authenticated) clicks on "logoff"
    2. PC is authenticated
    3. VLAN on the Switch is changed
    4. Roaming profile synchronisation: exactly this step fails, because the PC is alredy in a VLAN that has no access to the fileserver.

    Do you have any idea how to handle this problem? Or other implementation suggestions to use both computer and machine authentication?

    Regards

    Thursday, December 2, 2010 4:09 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Thanks for update.

     

    I believe that the ports VLAN redirection delay time setting is most relate with switch device, in this case, you may also post this issue to cisco forum and check if someone who familiar with these would post a solution for you .

     

    https://supportforums.cisco.com/index.jspa

     

    Meanwhile , you may also refer to the link below if decide to implement computer only 802.1x authentication. The method in the article is applied to windows server 2008 and windows vista, I believe it could also be applied to windows server 2008 R2/windows 7 environment.

     

    How to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3

    http://support.microsoft.com/kb/929847

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 6, 2010 6:49 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Thanks for posting here.

     

    Actually ,deploy roaming profile with 802.1X authentication is not recommended,please take look the article below:

     

    You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller

    http://support.microsoft.com/kb/935638

     

    However , some workarounds may help you to handle this issue:

     

    ·         Use computer-only authentication. 

    ·         Reduce the size of the roaming profile. Then, you can finish roaming profiles synchronization before authentication times out.

    ·         Set delay time after user logs off on switch , seems you are using cisco device ,so perhaps you may take look the utility in the link below:

     

    Delay switching of VLAN after logoff (secs)

    Number of seconds to delay switching a user's VLAN on logoff (selected by default with a delay value of 1).

    Enter the number of seconds to delay.

     

    Use this option to provide Windows 2000 enough time to write a user's roaming profile during logoff.

     

    http://www.cisco.com/en/US/products/sw/secursw/ps2136/products_user_guide_chapter09186a00801f0d43.html

     

    Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Thanks.

     

    Tiger Li

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, December 3, 2010 2:14 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks for your answer.

    That this combination is not recommended using a 2003 environment I already found, but there was nothing written about 2008 - so I thought it might be working.

    The third party tool by Cisco (Secure User Registration Tool) is no longer available and there is even no version for Windows 7, so the delay might be not that easy to implement. On the switch I have not found any delay function, but I'll have a look again.

    Probably the other option to use only computer authentication sound like an accepptable alternative.

    Thanks & Cheers.

    Friday, December 3, 2010 3:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Thanks for update.

     

    I believe that the ports VLAN redirection delay time setting is most relate with switch device, in this case, you may also post this issue to cisco forum and check if someone who familiar with these would post a solution for you .

     

    https://supportforums.cisco.com/index.jspa

     

    Meanwhile , you may also refer to the link below if decide to implement computer only 802.1x authentication. The method in the article is applied to windows server 2008 and windows vista, I believe it could also be applied to windows server 2008 R2/windows 7 environment.

     

    How to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3

    http://support.microsoft.com/kb/929847

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 6, 2010 6:49 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Thanks.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com  

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 7, 2010 8:14 AM