Solved

Inconsistent drive mapping during vlan change

Posted on 2014-03-27
5
450 Views
Last Modified: 2014-05-28
Hello all,

We are having issues with inconsistent drive mapping after vlan change. The client computers (running Windows 7) first authenticate against our NPS server (using mac authentication bypass), and are then placed in vlan 10. After the users log in, they are placed into a different vlan based on user's AD group membership. The actual vlan switch works fine, and the users always end up in the right vlan. The drives, however, aren't always there. The user's home drive is mapped via the Home Folder in the users' properties in AD, and the rest of the drives (staff data, etc.) are mapped via a group policy log on script. Drives mapped via GP are almost always mapped, but drives mapped via AD properties are missing much more often. The drives can be manually accessed from all of the vlans. There are no errors on the NPS side, and the only errors I can see in the event viewer are DHCPNack messages (The IP address lease 10.42.13.xx for the Network Card with network address 0x has been denied by the DHCP server 10.42.10.xx). Does anyone have any advice or a possible solution? Any info would be much appreciated.

Here's how authentication is set up locally:
Cache user information for subsequent connections to this network is enabled 	
Authentication Mode: User authentication 	
Maximum Authentication Failures: 	2
Maximum EAPOL-Start Messages Sent: 	Not setup	
Held Period (seconds): 	Not setup	
Start Period (seconds): 	Not setup	
Authentication Period (seconds): 	Not setup
Single Sign On: Before user logon
Maximum acceptable delay for network connectivity: 10 	
This network uses different VLAN for authentication with machine and user credentials is enabled 
Allow additional dialogs during single sign on is disabled
Fast Reconnect is disabled
Authentication method is PEAP-MSCHAP V2

Open in new window


Here's the config for the port:
 switchport mode access
 authentication control-direction in
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator

Open in new window


Thanks,
Nikita
0
Comment
Question by:Robert Davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39962967
I assume the issue is that the PC is trying to map the drives before being connected to the correct VLAN.  Make sure that the switch ports have the "spanning-tree portfast" command (or your switch vendor's equivalent) & try changing the "authentication order mab dot1x" command to "authentication order dot1x mab."
   And, if possible, can the AD mapped drives be mapped by a login script that checks the IP address and then tries to map the drives if an IP inside VLAN 10 is detected?  If this script could be set to run in a 5 second loop for 5 minutes at login, then it would wait until the correct IP is present, then map the drives, and then exit.  I belive this is a common method used in environments that have a NAC solution.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 39967194
Spanning-tree portfast is enabled, and changing the authentication order didn't make a difference.
I've considered modifying the script, but I want to see if I can make our current set up work first. Is there a way to tell the computer to do a dhcp discover right after vlan change? That way the computer isn't requesting its old IP address on the new VLAN.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 39968018
You can watch the DHCP requests if you have a packet cpature tool like Wireshark or MS network monitor, either by installing it on the PC or via a port monitor session on the switch.  And if you have logging enabled on the DHCP server, the requests should be logged there as well.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
ID: 40087534
We ended getting rid of logon scripts for drive mapping, and we are using the "Drive Maps" option in Group Policy instead. Drive mapping works consistently now.
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 40095120
Changing the way we map drives fixed the problem.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question