Switching

Hi

I have a working configuration for 802.1X authorization. Here is the scenario.

1. The user when connected to the network initially falls in the guest vlan (say vlan 100). The user is assigned an ip address from a DHCP server,

2.The user then requests a certificate from the certificate server, downloads it and installs it.

3. After the certificate is installed and machine restarted the user falls in the respective user vlan (say vlan 200) and is assigned an ip address from the DHCP server.

4. The things were quite fine Upton this point. The problem arises after that.

5. Say the user shuts the machine, and restart it. There are two problems seen at this point.

    a. The machine takes a long time for starting up and seems to hang up in preparing network connections. After a long wait, the user is able to log onto the machine. This time can be as long as 10 to 15 mins.(unusually long)

    b. The ip address on this machine is from the guest vlan (where as it should be from the respective vlan as it is authenticated already). After you plug out and plug-in the network cable, the user then takes the ip address of the respective vlan.

6. The client is claiming that the same feature is working well with other vendors switches. So there is a problem with juniper switches. Any guesses ???

Hi

- Are you using the machine authentication (certificate based) followed by user authentication?

- Which supplicat you are using?

- Which JUNOS version you are using?

- After the restart of machine, check on the switch continiously

1- Status of 802.1x enabled port using "run show dot1x interface <name of interface> detail" to know how much time it is taking to authenticate the machine
2- Status of dynamic VLAN pushed by the radius server after machine authentication "run show ethernet-switching interfaces <name of interface>"

Hi Kashif

My responses inline.

Are you using the machine authentication (certificate based) followed by user authentication?

Yes

Which supplicat you are using?

Single-Secure,

-Which JUNOS version you are using?

JUNOS 10.4 R3.4

Also i have a complete debugging session of the switch from the startup of the device to the point where it still falls again in the guest vlan and we have to manually plug/unplug the cable to move it into it's respective vlan. This traceoptions file i am attaching here.

Regards

Tayyab

Attachment(s)

test1-log-2.txt   610 KB 1 version

Can you post the dot1x config from the switch.

Also, what are the settings on the client side?  We're all windows 7 for the clients, and had the same problem.  This was resolved by enabling the "Enable Single Sign On for this network" option with the group policy configuration, and select "Perform immediately after User Logon".  The authentication mode for the client is "User or Computer authentication"

Hi

There is A PR raised for the issue. The two relevlant PR's are

1.  719408

2.  746479

The problem description is as below

"

Issue: The client doesn't get IP address from correct vlan 2 in 10 times. The authentication is complete though as shown in the switch."

This issue is to be resolved in the following releases to be released soon.

1.12.1

2. 11.3 R6

3. 11.4 R3

4. 10.4 R10

regards

Tayyab