Unable to get IP Address from DHCP server - 802.1x authentication

From: Manish D'souza (manishfd_at_vsnl.com)
Date: 07/17/03


Date: Wed, 16 Jul 2003 22:56:02 -0700


We want to configure IBNS on winXP platform. The core
switch is CISCO 3550 & the Radius server is CISCO ACS
Server.

We conducted extensive tests on WinXP SP1a & Win2K SP3 for
user based VLAN authentication with Windows client as
well as third party client (Odyssey Funk) & have listed
our observations below.

Setup WinXP SP1a : wzcsvc.dll version : 5.1.2600.1181
Setup Win2K SP3 : wzcsvc.dll version : 5.0.2195.6604
Authentication method : MD5-Challenge
-----------------------------------------------------------
------------------------------------
The results are the same with Win2K SP3 & WinXP SP1

Login locally with the cached profile of user1
Once logged into the users profile you get the Radius
server login prompt a few minutes after the desktop
appears.
After entering the Radius server username & password the
user gets authenticated immediately but the machine
doesn't get any IP address.
If we release & renew IP address the user gets the IP
address for the scope specified for the VLAN that he
belongs.
Now user can logoff & login into the domain & get
authenticated by the domain controller. The login script
executes.
Once authenticated the port state doesn't change unless
the machine is rebooted.
You can logoff & login as another user but since the port
state has not changed the new user he doesn't get his
Radius server login prompt & hence continues to be in the
VLAN of the earlier user.
Even if we release & renew the IP address he still
continues to get the IP address of the earlier users VLAN
scope.
-----------------------------------------------------------
------------------------------------
After the machine boots login locally with the users
cached profile.
Disable & enable the Network card of the machine.
A few minutes after the network card gets enabled we get
the Radius Server login prompt.
After entering the Radius server username & password the
user gets authenticated immediately & the machine gets an
IP address from the scope of the VLAN that the user
belongs to, after around 30 seconds.
Now user can logoff & login into the domain & get
authenticated by the domain controller.
The login script executes.
Once authenticated the port state doesn't change unless
the machine is rebooted.
You can login as another user but the new user doesn't get
his Radius server login prompt & hence continues to be in
the VLAN of the earlier user.
Even if we release & renew the IP address he still
continues to get the IP address of the earlier users
VLAN.
---------------------------------------------------------
Problems:
The main problem with the windows client is
getting the IP address from the DHCP server.
The switch port state doesn't change unless the
machine is rebooted.
The Radius server login prompt does not appear
before the windows network login & only appears after the
desktop appears.
We have tested with a third party client (Odyssey Funk)&
it works fine.
The login script executes the first time & then it
executes intermittently.

Does anyone have any solution for my problem.
.



Relevant Pages

  • HOWTO: configure APM login rule for login service.
    ... I have met a problem for configuring APM login rule for login ... My linux system configure authentication via a radius server, ...
    (comp.os.linux.development.system)
  • Re: SBR Radius Config
    ... Originally I had this configuration to specify authentication: ... And of course, because of the "login", my device was authenticating con0 connection against the RADIUS server, as well as ppp connections as a backup if the RADIUS server is unreachable.) ... Practically everyone in the company is in the Cisco VPN Client group. ...
    (comp.dcom.sys.cisco)
  • Re: IAS and MAC authentication
    ... not possible without writing a IAS extension. ... > Cisco Access Points against the Microsoft Internet Authentication ... > --MAC address is recognized by RADIUS server and appropriate VLAN ...
    (microsoft.public.internet.radius)
  • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
    ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
    (Full-Disclosure)
  • [NEWS] Cisco VPN 5000 Series Concentrator RADIUS PAP Authentication Vulnerability
    ... When a VPN 5000 series concentrator is configured to use a Remote ... Authentication Dial In User Service server to authenticate client ... This vulnerability is documented as Cisco bug ID CSCdx82483. ... Authentication mode, and validating against a RADIUS server, are ...
    (Securiteam)