×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Wired Dot1x Failure

Wired Dot1x Failure

Wired Dot1x Failure

(OP)
Hello there,

  About three months ago the company I work for went through a network segmentation project. We also implemented wired Dot1x. Since the implementation we've been experiencing endless login issues on the domain. It is totally unpredictable, it works on one start-up and then not at the next.
 
Our clients are XP SP3 (Wired AutoConfig is started) on a Windows 2008 native domain. The radius server is Windows 2008 NPS and the switches we use are 3Com (5500-EI Software Version 3Com OS V3.03.02s168ep10). DHCP scopes on all VLAN's. Not that I think this is worth mentioning, but the NPS server is virtualised.
 
This is what we want to achieve:
1) XP client boots up. If it is a valid domain client it must machine auth into the 200 VLAN. If the client is unknown, it should fail into the guest VLAN(252).
2) When the user logs in. If the user is a valid domain user it must user auth into the 200 VLAN. If the user is a local user on the client, it must fail the client into the guest VLAN(252).
 
Also to mention we have Mitel Phone handsets and use the phone's switch for the client machines to connect to the network. (Radius <--> 3Com Switch <--> Mitel Phone (with switch) <--> XP Client) Phones end up in VLAN 16, but for this test I omitted the Phone, since the client machine auth fails with or without the phone connected.
 
We have also tested different hardware/OS builds to prove it's not a build/hardware issue.
 
From the switch config below you will notice that we use "dot1x dhcp-launch", but I've also tested without this setting. I've also tested "dot1x unicast-trigger", but although the XP clients appear to have more success, the unauthorised clients don't end up in the guest VLAN. The switch port just stay's shut.
 
#********************************************************************
SWITCH CONFIG:
 
[PH-Edge2-Ethernet3/0/15]display current-configuration
#
 sysname PH-Edge2
#
 radius nas-ip 172.16.1.3
#
 local-server nas-ip 127.0.0.1 key *******
#
 domain default enable bogus.com
#
 poe legacy enable
#
 lldp enable
 lldp timer tx-interval 5
#
 port-security enable
 port-security trap addresslearned
#
 igmp-snooping enable
#
#
 dot1x timer tx-period 5
 dot1x timer supp-timeout 10
 dot1x timer reauth-period 120
 dot1x dhcp-launch
 dot1x authentication-method eap
 dot1x supp-proxy-check trap
 dot1x supp-proxy-check logoff
 undo dot1x handshake enable
#
 MAC-authentication domain bogus.com
#
radius scheme system
radius scheme BOGUS-Radius-Scheme
 server-type extended
 primary authentication 172.16.4.5
 primary accounting 172.16.4.5
 secondary authentication 172.16.4.6
 secondary accounting 172.16.4.6
 accounting optional
 key authentication *******
 key accounting *******
 nas-ip 172.16.1.3
#
domain bogus.com
 scheme lan-access radius-scheme BOGUS-Radius-Scheme
 scheme login local
 accounting lan-access radius-scheme BOGUS-Radius-Scheme
 vlan-assignment-mode string
domain system
#
 stp mode rstp
 stp instance 0 priority 16384
#
#
vlan 1
 name management
#
vlan 4
 name Servers-and-Printers
 igmp-snooping enable
#
vlan 8
 name Desktops
 igmp-snooping enable
#
vlan 16
 name VOIP Vlan
 igmp-snooping enable
#
vlan 252
 name Guest-Limited-Access
 igmp-snooping enable
#
 
#********************************************************************
 
Port Setting:
 
interface Ethernet3/0/15
 poe enable
 stp edged-port enable
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 16 252
 port trunk pvid vlan 252
 broadcast-suppression pps 3000
 undo jumboframe enable
 undo voice vlan mode auto
 voice vlan enable
 port-security max-mac-count 5
 port-security port-mode userlogin-secure-or-mac
 port-security guest-vlan 252
 dot1x max-user 2
 dot1x re-authenticate
 apply qos-profile BOGUS-qos
 
#********************************************************************
 
After failed bootup registered mac:
 
[PH-Edge2-Ethernet3/0/15]display mac-address interface Ethernet 3/0/15
Unit 2
MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)
0022-1917-2f83 252       Learned        Ethernet3/0/15           AGING
 
 --- 1 mac address(es) found on port Ethernet3/0/15 ---
 
#********************************************************************
 
Errors in the NPS event viewer logs:
 
Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
            Security ID:                              NULL SID
            Account Name:                                    00-22-19-17-2f-83@bogus.com
            Account Domain:                                  BOGUS
            Fully Qualified Account Name: BOGUS\00-22-19-17-2f-83@bogus.com
 
Client Machine:
            Security ID:                              NULL SID
            Account Name:                                    -
            Fully Qualified Account Name: -
            OS-Version:                             -
            Called Station Identifier:                        -
            Calling Station Identifier:                       0022-1917-2f83
 
NAS:
            NAS IPv4 Address:                 172.16.1.3
            NAS IPv6 Address:                 -
            NAS Identifier:                         00186e4bd142
            NAS Port-Type:                                   Ethernet
            NAS Port:                                50393340
 
RADIUS Client:
            Client Friendly Name:               BOGUSHouse-Edge2
            Client IP Address:                                172.16.1.3
 
Authentication Details:
            Connection Request Policy Name:        Use Windows authentication for all users
            Network Policy Name:             -
            Authentication Provider:                        Windows
            Authentication Server:               BOGUSRA01.bogus.com
            Authentication Type:                 PAP
            EAP Type:                               -
            Account Session Identifier:                    -
            Logging Results:                                    Accounting information was written to the local log file.
            Reason Code:                           16
            Reason:                                                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
 
#********************************************************************
 http://imgur.com/ED8Hg.jpg
#********************************************************************
 
After successful bootup registered mac:
 
[PH-Edge2-Ethernet3/0/15]display mac-address interface Ethernet 3/0/15
Unit 2
MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)
0022-1917-2f83 200       Learned        Ethernet3/0/15           AGING
0022-1917-2f83 252       Learned        Ethernet3/0/15           AGING
 
 --- 2 mac address(es) found on port Ethernet3/0/15 ---
 
#********************************************************************
 
Success in the NPS event viewer logs:
 
Network Policy Server granted full access to a user because the host met the defined health policy.
 
User:
            Security ID:                              BOGUS\BOGUS-PC018$
            Account Name:                                    host/BOGUS-pc018.bogus.com
            Account Domain:                                  BOGUS
            Fully Qualified Account Name: bogus.com/NewStructure/IT/Computers/Desktops/BOGUS-PC018
 
Client Machine:
            Security ID:                              NULL SID
            Account Name:                                    -
            Fully Qualified Account Name: -
            OS-Version:                             -
            Called Station Identifier:                        -
            Calling Station Identifier:                       0022-1917-2f83
 
NAS:
            NAS IPv4 Address:                 172.16.1.3
            NAS IPv6 Address:                 -
            NAS Identifier:                         00186e4bd142
            NAS Port-Type:                                   Ethernet
            NAS Port:                                50393288
 
RADIUS Client:
            Client Friendly Name:               BOGUSHouse-Edge2
            Client IP Address:                                172.16.1.3
 
Authentication Details:
            Connection Request Policy Name:        Use Windows authentication for all users
            Network Policy Name:             Dot1x-Access-To-BOGUS-Support-PC's Vlan 200
            Authentication Provider:                        Windows
            Authentication Server:               BOGUSRA01.bogus.com
            Authentication Type:                 PEAP
            EAP Type:                               Microsoft: Secured password (EAP-MSCHAP v2)
            Account Session Identifier:                    -
 
Quarantine Information:
            Result:                                      Full Access
            Extended-Result:                                  -
            Session Identifier:                                  -
            Help URL:                                -
            System Health Validator Result(s):        -
 
#********************************************************************
 http://imgur.com/UURRt.jpg
#********************************************************************
 
The failed NPS event entry tries PAP authentication with user: 00-22-19-17-2f-83@bogus.com. The successful NPS event entry succeeded with PEAP with user: host/BOGUS-pc018.bogus.com.
 
We're currently at the stage were we're considering dropping Dot1x and moving to manual port control, but thought we'd give a few forums a go to see if someone has some suggestions. Any help or idea's are welcome.
 
Thanks,
 
T
 
  

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close