M
Manish D'souza
We want to configure IBNS on winXP platform. The core
switch is CISCO 3550 & the Radius server is CISCO ACS
Server.
We conducted extensive tests on WinXP SP1a & Win2K SP3 for
user based VLAN authentication with Windows client as
well as third party client (Odyssey Funk) & have listed
our observations below.
Setup WinXP SP1a : wzcsvc.dll version : 5.1.2600.1181
Setup Win2K SP3 : wzcsvc.dll version : 5.0.2195.6604
Authentication method : MD5-Challenge
-----------------------------------------------------------
------------------------------------
The results are the same with Win2K SP3 & WinXP SP1
Login locally with the cached profile of user1
Once logged into the users profile you get the Radius
server login prompt a few minutes after the desktop
appears.
After entering the Radius server username & password the
user gets authenticated immediately but the machine
doesn't get any IP address.
If we release & renew IP address the user gets the IP
address for the scope specified for the VLAN that he
belongs.
Now user can logoff & login into the domain & get
authenticated by the domain controller. The login script
executes.
Once authenticated the port state doesn't change unless
the machine is rebooted.
You can logoff & login as another user but since the port
state has not changed the new user he doesn't get his
Radius server login prompt & hence continues to be in the
VLAN of the earlier user.
Even if we release & renew the IP address he still
continues to get the IP address of the earlier users VLAN
scope.
-----------------------------------------------------------
------------------------------------
After the machine boots login locally with the users
cached profile.
Disable & enable the Network card of the machine.
A few minutes after the network card gets enabled we get
the Radius Server login prompt.
After entering the Radius server username & password the
user gets authenticated immediately & the machine gets an
IP address from the scope of the VLAN that the user
belongs to, after around 30 seconds.
Now user can logoff & login into the domain & get
authenticated by the domain controller.
The login script executes.
Once authenticated the port state doesn't change unless
the machine is rebooted.
You can login as another user but the new user doesn't get
his Radius server login prompt & hence continues to be in
the VLAN of the earlier user.
Even if we release & renew the IP address he still
continues to get the IP address of the earlier users
VLAN.
---------------------------------------------------------
Problems:
· The main problem with the windows client is
getting the IP address from the DHCP server.
· The switch port state doesn't change unless the
machine is rebooted.
· The Radius server login prompt does not appear
before the windows network login & only appears after the
desktop appears.
We have tested with a third party client (Odyssey Funk)&
it works fine.
· The login script executes the first time & then it
executes intermittently.
Does anyone have any solution for my problem.
switch is CISCO 3550 & the Radius server is CISCO ACS
Server.
We conducted extensive tests on WinXP SP1a & Win2K SP3 for
user based VLAN authentication with Windows client as
well as third party client (Odyssey Funk) & have listed
our observations below.
Setup WinXP SP1a : wzcsvc.dll version : 5.1.2600.1181
Setup Win2K SP3 : wzcsvc.dll version : 5.0.2195.6604
Authentication method : MD5-Challenge
-----------------------------------------------------------
------------------------------------
The results are the same with Win2K SP3 & WinXP SP1
Login locally with the cached profile of user1
Once logged into the users profile you get the Radius
server login prompt a few minutes after the desktop
appears.
After entering the Radius server username & password the
user gets authenticated immediately but the machine
doesn't get any IP address.
If we release & renew IP address the user gets the IP
address for the scope specified for the VLAN that he
belongs.
Now user can logoff & login into the domain & get
authenticated by the domain controller. The login script
executes.
Once authenticated the port state doesn't change unless
the machine is rebooted.
You can logoff & login as another user but since the port
state has not changed the new user he doesn't get his
Radius server login prompt & hence continues to be in the
VLAN of the earlier user.
Even if we release & renew the IP address he still
continues to get the IP address of the earlier users VLAN
scope.
-----------------------------------------------------------
------------------------------------
After the machine boots login locally with the users
cached profile.
Disable & enable the Network card of the machine.
A few minutes after the network card gets enabled we get
the Radius Server login prompt.
After entering the Radius server username & password the
user gets authenticated immediately & the machine gets an
IP address from the scope of the VLAN that the user
belongs to, after around 30 seconds.
Now user can logoff & login into the domain & get
authenticated by the domain controller.
The login script executes.
Once authenticated the port state doesn't change unless
the machine is rebooted.
You can login as another user but the new user doesn't get
his Radius server login prompt & hence continues to be in
the VLAN of the earlier user.
Even if we release & renew the IP address he still
continues to get the IP address of the earlier users
VLAN.
---------------------------------------------------------
Problems:
· The main problem with the windows client is
getting the IP address from the DHCP server.
· The switch port state doesn't change unless the
machine is rebooted.
· The Radius server login prompt does not appear
before the windows network login & only appears after the
desktop appears.
We have tested with a third party client (Odyssey Funk)&
it works fine.
· The login script executes the first time & then it
executes intermittently.
Does anyone have any solution for my problem.