Strange behaviour with Windows 7 Pro on 802.1X+dynamic VLAN environment RRS feed

  • General discussion

  • We're currently migrating our client and server Operating systems to Windows 7 Pro and Server 2008 R2. We also bought networking machines to make our LAN 802.1X+Dynamic VLAN capable, for security reasons. I've been working in a lab with Windows 7 Pro client machine and Windows 2008 R2 with Domain Controler role, Active Directory, Active Directory Certificate Services, Network Policy and Access Services and DNS Server. DHCP Server is in a 3rd machine and works properly with dynamic VLAN assignment.

    Our idea is to perform a user based logon via 802.1X to assign a VLAN depending on RADIUS (NPS) policies. I configured the client machine enabling 802.1X using User authentication and Single Sign-on, everything seems to be OK. But when the 1st user to access logs off the client computer does not send a EAPOL-Logoff message and the 802.1X port status stays on Authorized. When other user tries to access the client doesn't send any EAPOL-Start message to Re-Authenticate the user and obviously the login fails and shows "Cannot connect to network".

    I read here http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/701afaf2-0974-44e2-b3cb-9862c90242fb that using Machine and user authentication forces the client to send EAPOL-Start/Logoff messages prior to authenticate the machine account when no user is logged-in.

    Using this configuration we got the following:

    1st User: OK Logs in and is redirected to the correct VLAN.
    1st user Logoff: Machine authentication UnAuthorizes the 802.1X connection. The port stays unauthorized because the machine authentication is denied by radius server policies.
    2n user Login attempt: the client shows "Connecting to network" but the same, in the switch debug there's no activity from the client machine, it holds like this until the Timeout period is reached and then "Cannot connect to network" and then tries to contact a domain controler...

    For now we've only found one way to make it work. Using machine and user authentication and authorizing the machine account but giving a limited network access for it. It seems that the client machine needs a successful machine authentication before it can authenticate users correctly. Im wondering why this is not possible using only user authentication:

    User provides credentials -> 802.1X Authorization -> VLAN Assignment depending on radius Policies -> Domain Login -> User Session -> User starts Logoff -> Domain Logoff -> 802.1X UnAuthorization -> ... New user provides credentials -> 802.1X Authorization -> (...)

    Thank you for your help
    • Edited by eduardvz Monday, August 24, 2009 12:01 PM
    Monday, August 24, 2009 8:49 AM

All replies

  • I experience the same problem. When I restart my system and log-in, the internet connections keep saying that there are multiple networks. When I tried to diagnose it using tools provided, it seems that there is no problem detected.

    So, I unplug and plug my LAN cable to make a hard-reset or I disable and enable the network adapter to get my system connects to the network. Let me know when this issue has been solved.

    So far only this significant issue.
    Monday, August 24, 2009 9:40 AM
  • I'm not sure if you have completely abandoned this setup by now, but I've been fighting this same issue for a while.  During my latest round of troubleshooting I decided to try the setup on a different wireless computer and to my surprise everything worked for me.  It didn't work on an Atheros AR9285 card but did work Linksys WMP600N Dual-Band Wireless-N PCI card in a desktop.  I am going to further try this on other wireless devices with different wireless cards just to see what features are needed on the card to get this to work correctly and then most likely replace the internal wireless nics on my laptops that it won't work on.

    Good luck!

    Friday, March 4, 2011 3:16 PM