Announcement

Collapse
No announcement yet.

802.1x authentication with dynamic VLAN and roaming profiles

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 802.1x authentication with dynamic VLAN and roaming profiles

    Hi everybody!

    I have a problem implementing 802.1x authentication in a LAN.

    Target:
    Hosts and users should be authenticated by a Radius Server. According to the user / machine group, the port on the Switch should be changed to the corresponding VLAN. The Client PCs are in the domain and roaming profiles are used.


    Domain Controller: MS Server 2003
    Radius Server: MS Server 2008
    Client: MS Windows 7 (in domain)
    Switch: Cisco 3550, 3560


    Steps that are working so far:
    1. Switchport is programmed to access a very restricted VLAN
    2. After the PC is authenticated, it is moved to a less restricted VLAN, where the domain controller can be reached
    3. User logon
    3a. Radius Server authenticates the user
    3b. VLAN on Switch is changed
    3c. Roaming profile is loaded


    The above steps work fine, but at the logoff a problem occurs:
    1. user (authenticated) clicks on "logoff"
    2. PC is authenticated
    3. VLAN on the Switch is changed
    4. Roaming profile is syncronized (!!!!): exactly this step fails, because the PC is alredy in a VLAN that has no access to the fileserver.

    Do you have any idea how to handle this problem?

    Thanks & regards.

  • #2
    Re: 802.1x authentication with dynamic VLAN and roaming profiles

    Sorry if this sounds too obvious, I might be surely missing a key piece of info, but couldn't you either reconfigure the VLAN or change the IP addressing on the fileserver so that it can be contacted?
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: 802.1x authentication with dynamic VLAN and roaming profiles

      I think this is more a networking issue -- what make / model switch are you using?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: 802.1x authentication with dynamic VLAN and roaming profiles

        Thanks for your answer.

        @L4ndy: sure, that would work. however the aim is to have all pc's in a very restricted network from which no file server (and just the domain controller) should be accessible. for the logon instead windows gives you the possibility to choose when to switch the vlan (before logon or after logon). that works perfect, but for the logoff there are no settings available.

        @Ossian: I'm using Cisco 3550 / 3560 switches. i'm not sure if its more network (switch) related or more client related. somehow the switch does its work fine ... the client just tells to early to switch the vlan. i did not find any "delay" options, neither on the switch, nor on the pc.

        Comment

        Working...
        X