Netlogin Script for Authenticated VLAN

  • 7 January 2014
  • 1 reply

Userlevel 4
Create Date: Apr 11 2012 8:07AM

Hi There,

I'm trying to implement wired 802.1x on our network. Having tested this briefly and got it to work its not the way I'd like it to be.

Were using a 2008 NPS Server as our Radius Box, a default connection policy is setup and a network policy is also setup. The network policy is set so that this determines which VLAN authenticated clients have access to (Using the VSAs etc). However in our environment we have numerous VLANs and it would seem that a policy is needed for every VLAN?(VSA?) Not to mention the amount of authenticators (Switches)we have, which you cant specify what points to what network policy etc.

This seems quite a bit of work and time to implement plus a potential nightmare to upkeep. I'd rather the Radius Server didnt determine the authenticated vlan but the switch(authenticators) themselves did, and I would assume I would need some sort of script to do this?

Does anyone else have experience of this issue? Or is there a completely different and easier way to do this?

Thanks in advance


(from Ian_Broadway)

1 reply

Userlevel 4
Create Date: Apr 19 2012 7:40AM

Your match condition for all request into the NPS should not be complicated.
    Set all your switches with the same VLAN names. (The 802.1Q tags can be different) You will have to add the authenticators as clients in the NPS server. Use a common name like extremeSwitch1, extremeSwitch2, etc... Have your first match conditon in the "Connection Request Policy" be Client Friendly Name = extreme* Have all the rest of your specific policies in the "Network Policies" section. Do not have the "Connection Request Policies" overwrite. Best Match condtions for "Network Policies" is the Windows Groups. You shouldn't need any other match condition. Even for MAC auth... Create each policy with the specific EAP Method, Authentication Method, and Vendor-Specific [list=1] Vendor-Specific = Netlogin-Extended-VLAN(211) = Udata,Tvoice [list=1] Where U = Untagged, T = Tagged, and data or voice = vlan name
[/list] [/list] For #6. I have a Network Policy for:

    Domain Employees Domain Computers (For this policy to work correctly, set your reauth timer for 802.1X to 0) MAC Authentication
Just like an ACL, this is a first match. Therefore my domain employee policy will look for the username in the Windows "Domain Users" group. Once matched, the settings are as follows:

    Authentication Type:PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Vendor-Specific = Udata

(from john_padilla)