Comments on: DHCP, 802.1X, and the Default VLAN http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/ Ruminations on Identity Management for Networks Mon, 13 Oct 2008 12:15:40 +0000 http://wordpress.org/?v=2.6 By: Tim http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-47221 Tim Wed, 03 Sep 2008 18:50:50 +0000 http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-47221 We have issues with netlogon scripts on our XP SP2 systems too with our implementation of open vlan's on our procurves Got around them using the following GPO settings: Computer Configuration (Enabled) Policies Administrative Templates Policy definitions (ADMX files) retrieved from the local machine.System/Logon Policy Setting Comment Always wait for the network at computer startup and logon Enabled System/Scripts Policy Setting Comment Run logon scripts synchronously Enabled Computer Configuration (Enabled)hide Policieshide Administrative Templates Policy definitions (ADMX files) retrieved from the local machine.System/Logon Policy Setting Comment Always wait for the network at computer startup and logon Enabled System/Scripts Policy Setting Comment Run logon scripts synchronously Enabled this works for the mapped drives but still cannot get a couple of .exe that run on via logon scripts to work (probably will just use registry keys) Also we use Domain users and Domain computers on the Radius side (which solves the issue of a new user logging into a computer for the first time and creating a profile). The newest issue which I am working on is the one mentioned here - some users do not release / renew their IP once authenticated on the Production VLAN. It only happens to some users. Anyone play around with disabling "fast reconnect" on the XP Supplicant? Tim We have issues with netlogon scripts on our XP SP2 systems too with our implementation of open vlan’s on our procurves

Got around them using the following GPO settings:

Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.System/Logon
Policy Setting Comment
Always wait for the network at computer startup and logon Enabled

System/Scripts
Policy Setting Comment
Run logon scripts synchronously Enabled

Computer Configuration (Enabled)hide
Policieshide
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.System/Logon
Policy Setting Comment
Always wait for the network at computer startup and logon Enabled

System/Scripts
Policy Setting Comment
Run logon scripts synchronously Enabled

this works for the mapped drives but still cannot get a couple of .exe that run on via logon scripts to work (probably will just use registry keys)

Also we use Domain users and Domain computers on the Radius side (which solves the issue of a new user logging into a computer for the first time and creating a profile).

The newest issue which I am working on is the one mentioned here - some users do not release / renew their IP once authenticated on the Production VLAN. It only happens to some users.

Anyone play around with disabling “fast reconnect” on the XP Supplicant?

Tim

]]> By: Pedro Alipio http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46885 Pedro Alipio Wed, 14 May 2008 10:31:02 +0000 http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46885 In my point of view, the best solution for this issue should be the authentication server sending an DHCP FORCERENEW message (RFC3203) whenever an user logs in (802.1x). Unfortunately, RFC3203 is not supported by most of the DHCP servers and clients. In my point of view, the best solution for this issue should be the authentication server sending an DHCP FORCERENEW message (RFC3203) whenever an user logs in (802.1x). Unfortunately, RFC3203 is not supported by most of the DHCP servers and clients.

]]> By: Sean http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46881 Sean Fri, 09 May 2008 21:16:28 +0000 http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46881 S. Can you be more specific when you say "the client unauthenticates"? Are they issuing an EAP-Logoff? Is the machine rebooted? Is link interrupted on the switch? Also, what supplicant and OS are you using? Thanks, Sean S.

Can you be more specific when you say “the client unauthenticates”? Are they issuing an EAP-Logoff? Is the machine rebooted? Is link interrupted on the switch? Also, what supplicant and OS are you using?

Thanks,

Sean

]]> By: S. Yrneh http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46878 S. Yrneh Fri, 09 May 2008 00:39:45 +0000 http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46878 A problem im facing while implementing 802.1x........ with guest vlan feature. A client connects to a 802.1x enabled port, and guest vlan is configured so it gets a IP address in the guest vlan. Then the client gets authenticated and move to the access vlan and since the port state changed the client will get a new IP address in the access vlan. However, if the client unauthenticates come back to the guest vlan, even though port state changed again the client does not release/renew its IP address. Anyone got any work around for this ? A problem im facing while implementing 802.1x…….. with guest vlan feature.
A client connects to a 802.1x enabled port, and guest vlan is configured so it gets a IP address in the guest vlan. Then the client gets authenticated and move to the access vlan and since the port state changed the client will get a new IP address in the access vlan. However, if the client unauthenticates come back to the guest vlan, even though port state changed again the client does not release/renew its IP address.

Anyone got any work around for this ?

]]> By: David Hyson http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46870 David Hyson Fri, 25 Apr 2008 14:46:14 +0000 http://www.seanconvery.com/weblog/2006/08/02/dhcp-8021x-and-the-default-vlan/#comment-46870 We're running wired 802.1x on our campus with Enterasys equipment, and seem to have many of the same kind of issues. It sounds like in your implementation authorized supplicants don't go through a default VLAN. In our, they do, and it's caused quite a few issues. In particular, Netlogon was starting while the machine was still in "purgatory" and consequently getting a bad connection to the domain and not loading a mandatory profile. Even turning off XP fast-startup option didn't fix it. I actually wrote a service that we now use here that delays the start of Netlogon until a machine gets a non-default IP. It helps quite a bit, but I think we're going to try shortening the lease as well. Thanks for the insight. -DLH We’re running wired 802.1x on our campus with Enterasys equipment, and seem to have many of the same kind of issues. It sounds like in your implementation authorized supplicants don’t go through a default VLAN. In our, they do, and it’s caused quite a few issues. In particular, Netlogon was starting while the machine was still in “purgatory” and consequently getting a bad connection to the domain and not loading a mandatory profile. Even turning off XP fast-startup option didn’t fix it. I actually wrote a service that we now use here that delays the start of Netlogon until a machine gets a non-default IP. It helps quite a bit, but I think we’re going to try shortening the lease as well. Thanks for the insight. -DLH

]]>