Solved

Inconsistent drive mapping during vlan change

Posted on 2014-03-27
5
418 Views
Last Modified: 2014-05-28
Hello all,

We are having issues with inconsistent drive mapping after vlan change. The client computers (running Windows 7) first authenticate against our NPS server (using mac authentication bypass), and are then placed in vlan 10. After the users log in, they are placed into a different vlan based on user's AD group membership. The actual vlan switch works fine, and the users always end up in the right vlan. The drives, however, aren't always there. The user's home drive is mapped via the Home Folder in the users' properties in AD, and the rest of the drives (staff data, etc.) are mapped via a group policy log on script. Drives mapped via GP are almost always mapped, but drives mapped via AD properties are missing much more often. The drives can be manually accessed from all of the vlans. There are no errors on the NPS side, and the only errors I can see in the event viewer are DHCPNack messages (The IP address lease 10.42.13.xx for the Network Card with network address 0x has been denied by the DHCP server 10.42.10.xx). Does anyone have any advice or a possible solution? Any info would be much appreciated.

Here's how authentication is set up locally:
Cache user information for subsequent connections to this network is enabled 	
Authentication Mode: User authentication 	
Maximum Authentication Failures: 	2
Maximum EAPOL-Start Messages Sent: 	Not setup	
Held Period (seconds): 	Not setup	
Start Period (seconds): 	Not setup	
Authentication Period (seconds): 	Not setup
Single Sign On: Before user logon
Maximum acceptable delay for network connectivity: 10 	
This network uses different VLAN for authentication with machine and user credentials is enabled 
Allow additional dialogs during single sign on is disabled
Fast Reconnect is disabled
Authentication method is PEAP-MSCHAP V2

Open in new window


Here's the config for the port:
 switchport mode access
 authentication control-direction in
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator

Open in new window


Thanks,
Nikita
0
Comment
Question by:Robert Davis
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:eeRoot
Comment Utility
I assume the issue is that the PC is trying to map the drives before being connected to the correct VLAN.  Make sure that the switch ports have the "spanning-tree portfast" command (or your switch vendor's equivalent) & try changing the "authentication order mab dot1x" command to "authentication order dot1x mab."
   And, if possible, can the AD mapped drives be mapped by a login script that checks the IP address and then tries to map the drives if an IP inside VLAN 10 is detected?  If this script could be set to run in a 5 second loop for 5 minutes at login, then it would wait until the correct IP is present, then map the drives, and then exit.  I belive this is a common method used in environments that have a NAC solution.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Spanning-tree portfast is enabled, and changing the authentication order didn't make a difference.
I've considered modifying the script, but I want to see if I can make our current set up work first. Is there a way to tell the computer to do a dhcp discover right after vlan change? That way the computer isn't requesting its old IP address on the new VLAN.
0
 
LVL 21

Expert Comment

by:eeRoot
Comment Utility
You can watch the DHCP requests if you have a packet cpature tool like Wireshark or MS network monitor, either by installing it on the PC or via a port monitor session on the switch.  And if you have logging enabled on the DHCP server, the requests should be logged there as well.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
Comment Utility
We ended getting rid of logon scripts for drive mapping, and we are using the "Drive Maps" option in Group Policy instead. Drive mapping works consistently now.
0
 
LVL 1

Author Closing Comment

by:Robert Davis
Comment Utility
Changing the way we map drives fixed the problem.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now