Following on from my previous post, Implementing 802.1x - Lessons learned, we have encountered a new more drastic problem. Microsoft has confirmed that Windows XP does not support dynamic vlan switching. This has really scuppered our plans for a secure wireless network that allows user accounts to determine which dedicated vlan they go onto, irrespective of site, making it easier for users to get access to the systems that they need without additional configuration from IT.
What we Wanted:
The initial plan was to use the machine account (checked against active directory) to place the client on a machine only vlan. This would allow admin work such as AV updates, security compliance and RDP sessions to be carried out. Access to all other network resources would not be allowed.
A user could then logon and depending on which network group they were in they would be verified against active directory and placed on the appropriate vlan which had access permissions set accordong to the group. This would allow them to move between sites and have no additional firewall/ACL changes made by IT.
The Problem:
The problem arises when the vlan switch occurs. After re-authentication, Windows XP sends a DHCP REQUEST to the DHCP Server. This REQUEST includes the IP from the previous vlan. This IP is no longer valid in the new vlan. This causes the DHCP server to send a NACK (Not Acknowledged) to the client. The client then waits a few seconds and sends another DHCP-REQUEST which will fail again. What it should do is send a DHCP-DISCOVER to obtain a new IP address.
According to Microsoft this is because the NETLOGON service works independently of the 802.1x authentication process. One does not wait on the other, which leads to conflicts 75% of the time.
Updating to XP service pack 3 does not resolve the issue.
The KB article is here:
http://support.microsoft.com/?kbid=935638
The support Forum is here:
http://forums.technet.microsoft.com/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/
This post is tagged 802.1x, client configuration, mac os x, windows 2000, windows xp, wireless networking, wireless security
No Comments
Leave a Reply