802.1X dyanmic VLAN assignment DHCP issue (Vista client)

I am labbing dynamic VLAN assignment and have run into a small problem.  The switchport is succesfully changing to the new VLAN, but my test PC seems to get an IP address in the native data VLAN before being moved to the new dynamic assigned VLAN.  So when the switch changes the VLAN the PC keeps its old IP address and nothing talks any more.
Is this a Vista issue?  I thought all of these problems were just issues in XP?  Do I need to tweak any interface dot1x timers?
(Cat3750 with 12.2.55 / ACS5.1.  Everything else is running fine by the way.)

if i do a show run on the switchport the config hasnt changed, but i dont expect it to, as its not a permanent config change that you would want to be saved by a different admin user saving the config.  You can see the debug report it is changing the VLAN:
Apr 19 09:22:56.263: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:58.604: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:22:59.560: %DOT1X-5-SUCCESS: Authentication successful for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID
Apr 19 09:22:59.568: %AUTHMGR-5-VLANASSIGN: VLAN 12 assigned to Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:59.585: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
Apr 19 09:23:00.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:23:00.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
as well as checking with the show int switchport command and it is in v12 which is the dynamically assigned vlan
DHCP server is the cat3750 for all local VLANs

Similar Messages

  • 802.1x with VLAN assignment on Catalyst 2950T-48-SI

    I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
    - IEEE 802.1x with VLAN assignment
    - SSHv2
    - SNMPv3
    The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
    If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
    Thanks a lot.

    SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
    802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
    SNMPv3 is supported.
    HTH
    Andy

  • 871 802.1x with vlan assignment aka dynamic vlan

    you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
    I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
    Using 12.4(6)T advanced IP.
    I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
    Has anybody got this to work? Any info much appreciated
    Greg Turner

    SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
    802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
    SNMPv3 is supported.
    HTH
    Andy

  • 802.1x dynamic vlan assignment using ACS 4.2

    Hi
    we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
    we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
    we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
    is the above scenario doable using dot1x with the ACS server?
    waiting your replies
    Mohamed

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each
    user should be able to connect and roam around between any building.
    when ever a user is connecting his laptop to any floor, he should be
    made part of that respective vlan. It is not requred to have the same
    IP rage to be allocated, but the dynamic VLAN should be based on the
    switch port location.
    Can
    I configure ACS in such a way that, the ACS will allocate dynamic VLAN
    for every 802.1x authentication  based on the Network Device Group.
    Please refer the attached diagram
    Hi,
    Check out the below link for your requirement for dynamic vlan assignement using ACS
    http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • WoL over 802.1X with Vlan Assignement

    Hello
    I have a switch 3560, and an ACS v4
    In phase of test i have an infrastructure with 802.1X PEAP with automatic VLAN assignation by the ACS according to the Machine.
    My question is:
    it possible to implement Wake One Lan on 802.1x with a assigantion of vlan not statics (i.e. without use of command Switchport access vlan XXX)
    PS: if I do in statics the VLAN on a port Wake one Lan work without Pb with 802.1X

    Ok, on interface 0/19 :
    Switchport mode access
    speed 100
    duplex Full
    dot1x pae authenticator
    dot1x port-control auto
    dot1x control-direction in
    spanning-tree portfast
    The software use is like "wolcmd" with configuration of
    MAC address of the PC
    IP of the PC (give by DHCP reservation)
    Subnet mask
    Remote port Number : 7
    The authentication on ACS work fine and on ACS whe have this field
    [064] Tunnel-Type
    value : VLAN
    [065] Tunnel-Medium-Type
    Value : 802.
    [Tunnel-Private-Group-ID]
    Value : 69
    In fact, the only difference between config is assignation static or dynamic of VLAN
    I don't know if this what you wan't
    thanks

  • 802.1x with Vlan assignment and IP phone and PC

    I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
    For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
    However I have read that I can not enable 802.1x on a trunk port.
    How could I configure this?
    I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
    Thanks

    You should configure the port as an access port with an aux-vlan. Here's an example:
    interface GigabitEthernet2/2
    switchport access vlan 701
    switchport mode access
    switchport voice vlan 702
    load-interval 30
    qos trust device cisco-phone
    qos trust cos
    auto qos voip cisco-phone
    dot1x pae authenticator
    dot1x port-control auto
    tx-queue 3
    bandwidth percent 33
    priority high
    shape percent 33
    spanning-tree portfast
    spanning-tree bpduguard enable
    service-policy output autoqos-voip-policy
    Hope this helps,

  • 802.1x dynamic VLAN assignment with Radius NPS Server

    I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
    I have followed this documentation,
    http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
    that basically says to use these Radius attributes,
    Tunnel-Medium-Type : 802
    Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
    Tunnel-Type  : VLAN
    There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
    and I have also tried that,
    cisco-avpair= "tunnel-type(#64)=VLAN(13)"
    cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
    My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
    Anybody know how to get dynamic VLAN assignment working with NPS?
    NPS on Win 2012 R2
    Domain controller separate Win 2012 R2 server
    Cisco 3550 switch

    Hi All, Can any one guide me to
    configure 802.1x with acs 5.0. Its totally new look and m not able to
    find document related to 802.1x.Thanks
    Hi,
    Check out the below link on how to configure 802.1x and ACS administration hope to help !!
    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
    Ganesh.H

  • 802.1x Dynamic Vlan assignment using ACS

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
    Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each
    user should be able to connect and roam around between any building.
    when ever a user is connecting his laptop to any floor, he should be
    made part of that respective vlan. It is not requred to have the same
    IP rage to be allocated, but the dynamic VLAN should be based on the
    switch port location.
    Can
    I configure ACS in such a way that, the ACS will allocate dynamic VLAN
    for every 802.1x authentication  based on the Network Device Group.
    Please refer the attached diagram
    Hi,
    Check out the below link for your requirement for dynamic vlan assignement using ACS
    http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • Wrvs4400n vlans/ssid/dhcp issue

    Hi all,
    it will be great if someone will help me with my problem.
    the problem is : our wrvs4400n  wifi router configuration.
    network description: we need 2 separated wifi networks one for guests and one for internal access, and i configured them on router, and also configured each one of them to different vlan, guests to vlan 200 and internal use default vlan 1.
    vlan 1 configured as dhcp relay and its working pritty well.
    vlan 200 configured as dhcp and the problem begins here.
    somehow  on vlan 200 i get dhcp from our externam dhcp server,
    wrvs4400n conected  as follow> lan port1/vlan 200 connected to firewall port(configured as vlan 200) and lan port 4/vlan1 conected to our main switch wich connected to firewall also.
    i guess that my knowlege in networking its not so good......
    how can i prevent from our internal dhcp to comunicate with vlan 200 ,
    any help will be very appreciated.

    Hi Rich,
    You cannot have different L3 VLANs sharing the same subnet.
    Each VLAN must have it's own subnet and then you have a routing device routing between both VLANs.
    You should have a DHCP pool also for VLAN 111 configured on the DHCP server.
    Even if you have ip helper address configured and this should be done on the VLAN111 interface of the switch, you still need a DHCP pool for VLAN 111 because the DHCP discovery is coming on VLAN 111.
    Please take a look into this document:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
    Here it explains how to configure 2 ssids on 2 vlans and dhcp pool (on the switch itself) for each vlan.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • 802.1x dynamic vlan assignment based on MAC?

    Hello,
    I am using Catalyst3750 and Widows AD Authentication.
    Our customers' pc is runnnig Windows (isn't 802.1x capable) that is connected to the catalyst switch.
    Is it possible to dynamic assign a Vlan based on MAC?
    When possible, we want to make it without using VMPS.
    and, is there any document relating to the above.
    Thanks a lot for you help.
    Tomoyuki

    Hello Tomoyuki,
    which Radius Server are you using to authenticate your Clients?
    For the Secure ACS you can configure a feature called "MAC-Authentication-Bypass" which fullfils your requirements.
    This Feature must be configured on the Switch and on the Radius Server (which does the vlan assigment based on the MAC-Address of the Client)
    An Overwiew of this feature can be found here:
    http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
    I hope this helps,
    Kind regards,
    Chris

  • 802.1x with VLAN assignment through MS IAS radius

    What is the correct input syntax of the cisco VAS at the MS IAS?
    Cisco Vendor ID = 9
    - [64] Tunnel-Type = VLAN
    - [65] Tunnel-Medium-Type = 802
    - [81] Tunnel-Private-Group-ID = VLAN NAME
    Thanks

    Not sure of this but this link could be of some help : http://www.microsoft.com/windows2000/technologies/communications/ias/

  • 802.1x dynamic vlan assignment with acs5.0

    Hi All, Can any one guide me to configure 802.1x with acs 5.0. Its totally new look and m not able to find document related to 802.1x.
    Thanks

    Hi All, Can any one guide me to
    configure 802.1x with acs 5.0. Its totally new look and m not able to
    find document related to 802.1x.Thanks
    Hi,
    Check out the below link on how to configure 802.1x and ACS administration hope to help !!
    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
    Ganesh.H

  • 802.1x Vlan Assignment

    I am planning to implement 802.1x on a 4506 switch. The issue that i have is i have 5 user Departmental vlan on the switch. How can i configure the ACS to assigned vlan for each of my user to their respected departmental vlan? please help

    That can be done, it's called "Using 802.1X with VLAN Assignment". Here is a link on cat4000 on how to configure 802.1X with VLAN assignment:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
    And here is a link on Using a RADIUS Server to Assign Users to VLANs:
    http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739
    I hope this helps.

  • Yet another IAS + 802.1x dynamic vlan question

    hello all
    For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.
    Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.
    Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.
    Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).
    Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.
    Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .
    Yes, I included the "aaa authorization network default group radius" statement.
    If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got
    " Attribute 81 6 01000005 " in the debug,
    all sorts of permutations.
    Please Cisco, somebody --- help us out here.
    The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".
    Can anybody shed some light on this!

    Here is working IAS settings and switch config:
    Ignore-User-Dialin-Properties 4101 True
    Framed-Protocol 7 PPP
    Service-Type 6 Framed
    Tunnel-Medium-Type 65 802
    Tunnel-Pvt-Group-ID 81 102
    Tunnel-Type 64 VLAN
    Tunnel-Tag 4170 1
    *Note that I have VLAN#, not VLAN name on attribute 81
    aaa new-model
    aaa authentication dot1x default group radius none
    aaa authorization network default group radius none
    aaa accounting dot1x default start-stop group radius
    dot1x system-auth-control
    interface FastEthernet0/1
    switchport access vlan 100
    switchport mode access
    dot1x port-control auto
    dot1x timeout reauth-period 300
    dot1x guest-vlan 997
    dot1x reauthentication
    spanning-tree portfast

  • 802.1X and automatic vlan assignment

    Hello,
    I'm testing a 802.1X infrastructure :
    Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
    Radius Server  : Microsoft NPS
    DHCP Relay for address assignement by Vlan
    I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
    All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
    The DHCP works fine and the 2 users have an IP.
    When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
    There are some specifics parameters to add for enable vlan on Mac OS X ?
    Thanks for reply
    Ben

    Edit : It's for wired connections

Maybe you are looking for

  • Mac Mini AHT error code:  2MLB/10/4: $0004.89f1

    Have Mac Mini G4 1.42 purchased in 2005, upgraded by Apple service center to 1 Gb and never used - sat in box. I recently starting using it after putting and experienced random kernel panics and application crashes. Ran AHT which produced error code

  • How to maintain standard doclet's Javadoc options in custom doclet?

    I'm having some difficulties with a custom doclet. I've simply subclassed some of the standard doclet classes to do some custom html output (basically wrapping the output in the headers/footers/navigation of our department intranet). I want to use th

  • Two Urgent Batch Processing Questions!!

    Q1) I have over a thousand one-minute clips I need to convert to a different QUicktime format using compressor.... I have created my custom preset that I want to use for all 1000 clips. I really dont want to drag my preset manually onto all 1000 clip

  • Error: about getLog ?

    I have a code snippet: public class Test { private static Log s_logger = LogFactory.getLog(Test.class); public void test() { s_logger.debug("Test logger"); Error:The method getLog(String) in the type LogFactory is not applicable for the arguments (Cl

  • Can I override Engine Callback in Process Model?

    I'm confused. I suppose I can put the SequenceFilePostStep and the SequenceFilePostStepRuntimeError callbacks into the Process Model I use and thus override this engine callback for all my sequence files what I execute using this Process Model. What