We've got a largely working 802.1x infrastructure. The Windows clients are using certificates issued by our Enterprise PKI, and we've got both computer and user certificates. The intention is that if the computer or the user is valid, then NPS tells the switch which VLAN to put the user into, otherwise the switch puts them into the "guest" VLAN. The problem we are seeing - and this mostly seems to happen when the computers are initially starting up/user is logging on - is that valid computers & users seem to be initially going into the guest VLAN (because the computer gets a DHCP-assigned IP address from that pool) and then authentication completes, the switch puts the computer into the correct VLAN but the computer isn't realising this and therefore doesn't request a new IP address from DHCP. What I'm struggling to resolve is why the switch is ever putting the computer/user into the guest VLAN in the first place. This is proving to be difficult to troubleshoot because anything I need to do at the client end is really hard to do because the computer is starting up and I don't have access. What can I do from the switch end? What logs can I look at or what additional diagnostics can I enable that might help me figure out what is going on here? Any other suggestions as to what I can try or look at? Thanks. Philip ... View more

I'm trying to achieve 802.1x authentication on Windows 7 clients. I want to achieve dynamic VLAN switching and perform the authentication with certificates. I have the following configuration on my switches: protocols { dot1x { authenticator { authentication-profile-name prof1; interface { ge-2/0/19.0 { supplicant single; guest-vlan DMZ_vlan; } } } } } access { radius-server { 193.63.211.21 secret "$9$LDMX7VgoJHkPWL-wsYGU0O1Ehr8LNwY4qmcyrlMWVwYgUifTzn6CQzt01hKv"; ## SECRET-DATA } profile prof1 { authentication-order radius; radius { authentication-server 193.63.211.21; } } } However, authentication isn't working. If I look at the interface with a connected laptop, I see this: ge-2/0/19.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: DMZ_vlan Number of connected supplicants: 1 Supplicant: No User-philip, 5C:26:0A:1F:A6:F4 Operational state: Authenticated Backend Authentication state: Idle Authentcation method: GuestVlan Authenticated VLAN: DMZ_vlan Session Reauth interval: 3600 seconds Reauthentication due in 3213 seconds and if I log off, I see this: ge-2/0/19.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: DMZ_vlan Number of connected supplicants: 1 Supplicant: host/53PD0P1.win.dante.org.uk, 5C:26:0A:1F:A6:F4 Operational state: Authenticated Backend Authentication state: Idle Authentcation method: GuestVlan Authenticated VLAN: DMZ_vlan Session Reauth interval: 3600 seconds Reauthentication due in 3503 seconds The odd thing is that I am not seeing any traffic from the switch asking for authentication for either the computer or the user. As a result, the connection always ends up in the guest VLAN. I thought that I had at least got user authentication with username & password working last week but that appears to have stopped, and I'm concerned that the introduction of virtual routers on the DMZ VLAN and the office VLANs might be preventing the authentication traffic from flowing. Any comments or suggestions, please? ... View more