Hi
I'm having hard times configuring wired 802.1x test lab. Everything went ok on the server side, but I'm getting some weird results when it comes to vlan switching: every time a client authenticates it ends up in a "healthy" vlan, meaning that it succeeded to authenticate. When I disable the 802.1x service on a client computer and it cannot authenticate it still moves to vlan 3 although it should be moved to vlan 2.
-----
Environment:
NAP server: 192.168.0.10
Switch: 192.168.0.3
Client: 192.168.0.100 (static ip)
-----
Policies on NPS:
I've ran a wizard to create wired 802.1x policies including the settings concerning VLAN's. My "Compliant" policy has following settings:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 3
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
Health policy: Compliant
"Noncompliant" policy:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 2
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
Health policy: Noncompliant
"Non NAP-Capable" policy:
Tunnel-Medium-Type: 802 (includes all 802...)
Tunnel-Pvt-Group-IP: 2
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Tag: 1
In Windows Security Health Validator i've only ticked the "firewall on" box, nothing else.
------
Switch config:
aaa authentication dot1x default group radius
aaa authorization network default group radius
authentication mac-move permit
ip subnet-zero
dot1x system-auth-control
vlan internal allocation policy ascending
vlan 2
name non-compliant
vlan 3
name compliant
interface GigabitEthernet2/0/1//this is the Client interface
switchport mode access
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet2/0/24//this is the NAP server interface
switchport mode access
spanning-tree portfast
interface Vlan1
ip address 192.168.0.3 255.255.255.0
no ip route-cache
-----