I am new to 802.1x and VLANs. Any help would be appreciated.
I am trying to achieve dynamic VLAN assignments based on user authentication. I’m having a hard time understanding where to configure which components. One group of authenticated users should go into a default VLAN which has access to the core data services connected to the MDF. Another group of users should go into 2nd VLAN which only has internet access.
If the user is unable to authenticate on the wire, then they should also go into the 2nd VLAN with only internet access.
Here’s the topology:
Wired Client or Wireless Access Point > 4 x Ex4200 VC (IDF -- distribution level switch) > 4 x Ex4200 VC (MDF – core data services, RADIUS server)
Both VLANs have been created on the MDF switch.
An IP address has been assigned to both VLANs
A RADIUS server has been defined on the MDF Switch
The RADIUS server has been configured (IAS) and a client has been created which points to the IP address of the MDF. Routing policies also created in IAS which point to the correct VLANs
A self signed certificate is installed on the wired client as well as the RADIUS server
The wired client is connected to a port on the IDF switch
802.1x configured on the port on the IDF switch (multiple supplicant mode)
The port on the IDF switch is in access mode
802.1x enabled on the NIC of the XP client. PEAP selected.
If I attach a wired XP client to the port and I authenticate successfully as a user in a group destined for VLAN1 (core services), I get authentication error on the NIC and in the event log.
If I try to log in as a user in the 2nd group (internet only VLAN) , I get an error that the domain is not available.