Ethernet Switching
Reply
Contributor
tayyabriaz
Posts: 18
Registered: ‎08-03-2008
0
Accepted Solution

802.1X authentication issue

Hi

 

I have a working configuration for 802.1X authorization. Here is the scenario.

 

1. The user when connected to the network initially falls in the guest vlan (say vlan 100). The user is assigned an ip address from a DHCP server,

2.The user then requests a certificate from the certificate server, downloads it and installs it.

3. After the certificate is installed and machine restarted the user falls in the respective user vlan (say vlan 200) and is assigned an ip address from the DHCP server.

4. The things were quite fine Upton this point. The problem arises after that.

5. Say the user shuts the machine, and restart it. There are two problems seen at this point.

 

    a. The machine takes a long time for starting up and seems to hang up in preparing network connections. After a long wait, the user is able to log onto the machine. This time can be as long as 10 to 15 mins.(unusually long)

    b. The ip address on this machine is from the guest vlan (where as it should be from the respective vlan as it is authenticated already). After you plug out and plug-in the network cable, the user then takes the ip address of the respective vlan.

6. The client is claiming that the same feature is working well with other vendors switches. So there is a problem with juniper switches. Any guesses ???

 

 

 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: 802.1X authentication issue

Hi

 

- Are you using the machine authentication (certificate based) followed by user authentication?

- Which supplicat you are using?

- Which JUNOS version you are using?

- After the restart of machine, check on the switch continiously

1- Status of 802.1x enabled port using "run show dot1x interface <name of interface> detail" to know how much time it is taking to authenticate the machine
2- Status of dynamic VLAN pushed by the radius server after machine authentication "run show ethernet-switching interfaces <name of interface>"

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
tayyabriaz
Posts: 18
Registered: ‎08-03-2008
0

Re: 802.1X authentication issue

Hi Kashif

 

My responses inline.

 

Are you using the machine authentication (certificate based) followed by user authentication?

Yes

Which supplicat you are using?

Single-Secure,

-Which JUNOS version you are using?

JUNOS 10.4 R3.4

 

Also i have a complete debugging session of the switch from the startup of the device to the point where it still falls again in the guest vlan and we have to manually plug/unplug the cable to move it into it's respective vlan. This traceoptions file i am attaching here.

 

Regards

 

Tayyab

 

Trusted Contributor
dscott
Posts: 122
Registered: ‎03-17-2011
0

Re: 802.1X authentication issue

Can you post the dot1x config from the switch.

 

Also, what are the settings on the client side?  We're all windows 7 for the clients, and had the same problem.  This was resolved by enabling the "Enable Single Sign On for this network" option with the group policy configuration, and select "Perform immediately after User Logon".  The authentication mode for the client is "User or Computer authentication"

Dustin

VCP-4/5, JNCIS-SEC, JNCIP-ENT
Contributor
tayyabriaz
Posts: 18
Registered: ‎08-03-2008
0

Re: 802.1X authentication issue

Hi

 

There is A PR raised for the issue. The two relevlant PR's are

 

1.  719408

2.  746479

 

The problem description is as below

 

"

Issue: The client doesn't get IP address from correct vlan 2 in 10 times. The authentication is complete though as shown in the switch."

 

This issue is to be resolved in the following releases to be released soon.

 

1.12.1

2. 11.3 R6

3. 11.4 R3

4. 10.4 R10

 

regards

 

Tayyab

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.