Re: 802.1x howto ias computer only authentication
- From: Lertsa <Lertsa@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 5 Feb 2007 03:42:00 -0800
I have a Cisco 2960 switch and MS IAS Radius configured and the
authentication works quite ok (with some delays) but if the user
authenticates to a local account, he doesn't get an IP but after some 5
minutes or so? I used a sniffer on the switch and discovered that the second
you push enter after entering username and password, the workstation stops
polling for DHCP. It does this again after some 5 minutes but it's way too
long time to wait. I tried to put the user straight to the guest-vlan and let
the authentication happen there - now the switch isn't changing the vlan it
gets from the Radius server and the workstation still remains on the
guest-vlan. (Trying to solve this one atm)
My other problem is that if a user has already authenticated to a local
account and then plugs in the network cable, the authentication window only
flashes quickly and then disappears. It will reappear after the quiet period
and work correctly after this but I would like to know why it does this?
Can't really tell the user to plug in and get some coffee =)
Thanks in advance for any help!
"James McIllece [MS]" wrote:
"news.microsoft.com" <mmartens@xxxxxxxxxxxxxxxxxxxxx> wrote in.
news:#qsAd3pAHHA.4060@xxxxxxxxxxxxxxxxxxxx:
Hi James,
Thans for your quick reply.
The statement i'm trying to make is that it doesn't work the machine
with 802.1x enabled on the switch and on the client is trying to
connect to my IAS server wich occours to be succesul. but then the IAS
cannot validate the machine so it is receiving an APIPA adress from
Windows XP because no dhcp can be found.
I think that my IAS needs some aditional configuration for machine
autentication but i don't know and am unable to find how the
configuration should be.
I've tried to add the computer to a Global Security group but that
wasn't succesfull. any ideas how it should be?
Thanks in advance,
Marcel
"James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:Xns987371F206DA7jamesmcionlinemicros@xxxxxxxxxxxxxxxx
"msnews.microsoft.com" <mmartens@xxxxxxxxxx> wrote in
news:OKKBKGbAHHA.4256@xxxxxxxxxxxxxxxxxxxx:
User authentication based on certificates works ok but thats not
what we want because then no Login scripts an Group Policies are
comming with the login.
I don't understand what you mean with this statement. You can use
logon scripts with user authentication.
All you need to do is make sure that the computer is also granted
access permission by your remote access policy.
The default client behavior is that when the machine boots up,
machine authentication, including refresh of Group Policy, occurs.
Then when the user logs on, user authentication occurs.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
rights.
So the first step is to get the machine authenticating successfully. That
is separate from the DHCP issue. You can create a remote access policy that
grants access to a group in AD -- so either grant access to the Domain
Computers group or create a new group and add the computers to it that you
want; and then create a remote access policy that grants access to the
group. (Or if I remember correctly you can add the computers group to the
same policy you have for users.)
If you create a new policy, remember the default remote access policy
behavior is to deny access, so you must change this setting. Also make sure
the policy is enabled. And put the computer policy before the user policy
in the IAS list of policies.
This whitepaper shows the correct setup for 802.1X wireless, which is very
similar to what you are doing:
"Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home
Office or Small Organization Networks" at
http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41-
4eb1-9374-44612e64f0fb&displaylang=en
Look at the Small Office section, not the Home section.
After you have the computers authenticating properly you can troubleshoot
the DHCP issue. As you probably know, the way the 802.1X switch works is to
perform authentication first -- then if that is successful, the switch
opens the port, which in turn allows the client's DHCP broadcast message
onto the LAN. If the DHCP broadcast message reaches your DHCP server, the
server will respond with a unicast message to the client, which then
provides the client with the IP address of the DHCP server, allowing the
additional messages from client to server to be sent as unicast messages.
The client is self-configuring with the APIPA address because its broadcast
messages are not reaching the DHCP server. This is for one of two reasons:
1. Authentication is failing so the switch is not opening the port.
2. The port is open but the broadcast message is not reaching the DHCP
server for some other reason.
I don't know how your switch is configured or what is required of it, but
perhaps it requires that you enabled DHCP forwarding...? Just a
possibility.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
- Prev by Date: RE: Machine Authentication not working with wireless clients and IAS
- Next by Date: New RFCs on IAS
- Previous by thread: Machine Authentication not working with wireless clients and IAS
- Next by thread: New RFCs on IAS
- Index(es):
Relevant Pages
|
