MAC Authentication

  • 0
  • 1
  • Problem
  • Updated 3 years ago
Hi all,

I have problem with my Radius Server. I got X16 as a backbone and B5 at the edges. I have configured NAP Polices on windows 2008. There is no domain but we are doing mac authentication. We write down all the macs on Radius Server. Also, we have 8 vlan for users. Therefore all users authenticated and get their Vlan as a dynamicly.

My problem is sometimes some users can not authenticated. But when we do "ipconfig /release" & "ipconfig /renew" then they can authenticate and get correct Vlan. This makes lots of problem for us. Why sometimes its doing like this. This problem occurs on every vlan but  not all time. If 100 people authenticate normally 1 or 2 of them need to release and renew their ip address.

I will be very happy if someone can help.

Thanks,
Best Regards.
Photo of Erhan YILDIZ

Erhan YILDIZ

  • 254 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Jason Parker

Jason Parker, Employee

  • 2,918 Points 2k badge 2x thumb
What we need to see is a a configuration but I use FreeRadius in the lab and have MAC, dot1x and even RFC 3580.
Lets start with the ip address.. Do they retain the old IP address or do they get the new ip address from the new VLAN policy?

you may need to open  ticket with the GTAc and If you do please mention my name Jason Parker, and state that I want to be involved to assist you.

We may need more than this web thread to go forward.
BTW:
Are you within your dhcp scope of addresses available?
Jason
Photo of Erhan YILDIZ

Erhan YILDIZ

  • 254 Points 250 badge 2x thumb
Hello Parker,
Are you within your dhcp scope of addresses available?
Yes

Also they get new ip addresses but in the same scope of DHCP. I mean there is no different with old and new ip addresses. Same rules same vlan and same scope.

I think the problems occurs on end user windows side. But I need to be sure. I will suggest my customer to update all windows on end user. 

Once I have opened a case but GTAC says no problem on our side. Therefore they dont help much for this issue. This time I will refer you if updates won't help.

Thanks,
Best Regards.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
What mode do you use on the B5 for the authentication? I would recommend you to set "set policy maptable responce booth" that the switch accept all whats coming in, Policy's AND RFC3580 Vlan auth. Please check also the authentication status on the B5 if the client did not get a ip address with "show multiauth session port ge.x.y" 

Did you set the clients ports to edge = true?

Do you have static policies on the user ports? If yes, please do NOT assign policies statically, assign it with the authentication, works better ;)

For security features I would recommend you to use a "blackhole vlan" as PVID on the user ports (blackhole means a vlan you NOT transmit between your switches), some clients always try to get there old IP Adresse, thats an NIC driver mistake, best fix is therefor this blackhole vlan.

But this only use for Windows's PC's. If you have "silent devices" that not speaks out traffic like door control panels with Ethernet interface you should assign the Vlan that the authenticated client will get after a successfull authentication. This makes it sure that the silent device will get the request for his mac address and he can answer, and with THAT answer you authenticate it again.
(Edited)