RE: DHCP problem in .1x
- From: john <john@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 17 Apr 2007 04:20:01 -0700
Hi,
I checked switch config that is ok.But when i sniffed my network by
ethereal,ı saw something about RADIUS frame packet.When the authentication
attempt successfull and the RADIUS sent a packet of RADIUS ACCEPT for
authentication then the client takes IP address from DHCP.I saw on log
regarding request of DHCP.
But when the authentication attemp fails then IAS sent a packet of RADIUS
REJECT for authenticaton then the trigger of DHCP on the client doesn't
trigger the DHCP server.So the client doesn't take an IP.
I think my switch and IAS cannot negotiate with client that has an failed
authentication attempt.
What is the problem?
Why the client request an IP adress when the authentication fails?
"john" wrote:
I will check our switch config..
thank you.
"john" wrote:
"rt-seb" wrote:
Hello,
"john" wrote:
The switch puts the client ports to Unauth-vlan very quickly but the XpI don't think that changing the DHCP timing will help you.
client doesn't take an IP afterwards the operation.
I was waiting 10 minutes for DHCP trigger.but the client doesn't gain an IP
address.
When ı trigger network connections manually,the client takes an IP.
I think the client doesn't receive EAP-success frames when the
authenticatioin fails.
Futhermore for the successfull authentication attemps ,the client takes an
IP address everytime.I haven't a problem on success authentication attempts..
How ı change DHCP services times on the client?
The problem is that the DHCP service must know when to request a new
IP address. Usually, this is done if a physical link is detected.
But in your case the physical link is already there. You might take a look
at the configuration options of your switch.
Some switches are capable of sending EAP-Sucess messages after a VLAN
change. Some switches might emulate a link-down-up sequence in order to
signal the client the need for an IP renewal.
Sebastian
"rt-seb" wrote:
Hello,
"john" wrote:
hi,How long does it take until the computer is put into the "unauhth" VLAN?
I use IAS,HP 2650 and Windows xp sp2 for our .1x system.
I have a problem about re-authentication afterwards the computer
authentication.The machine authenticates successfully by the computer
certificate then it leases an IP from DHCP server.when the user logons on the
computer the re-authentication starts.The user doesn't have an user
certificates so it doesn't authenticate the system.I see an error on IAS log
that is related re-authentication.But we have a problem about DHCP lease on
the computer.I think the computer should leave an IP address on wrong scope
then it requests an IP from unauth-VLAN scop of the DHCP server.But the
computer doesn't leave the IP adress of wrong scope. Then I repair network
connection manually,the computer takes an IP adress of unauth-VLAN DHCP scope.
My problem that the computer doesn't take an IP adress of unauth-VLAn scope
when the authentication attempt fails.I want that the computer should take an
IP address automaticly when the aunthentication attempt fails.
Is the problem related windows xp supplicant of .1x,isn't it?
Does the switch sends an EAP-Success to the clients after the clients
was put into the unauth-VLAN?
Usually, this EAP-Success frame makes the 1x supplicant trigger the
DHCP client service for an IP renewal. Maybe the DHCP services times
out (typically 60 seconds) because it took too much time to gain
network access.
Sebastian
- References:
- RE: DHCP problem in .1x
- From: rt-seb
- RE: DHCP problem in .1x
- From: john
- RE: DHCP problem in .1x
- From: john
- RE: DHCP problem in .1x
- Prev by Date: RE: DHCP problem in .1x
- Next by Date: ANN: IAS Log Viewer version 2.39 was released
- Previous by thread: RE: DHCP problem in .1x
- Next by thread: ANN: IAS Log Viewer version 2.39 was released
- Index(es):
Relevant Pages
|
