Robert Davis
asked on
Inconsistent drive mapping during vlan change
Hello all,
We are having issues with inconsistent drive mapping after vlan change. The client computers (running Windows 7) first authenticate against our NPS server (using mac authentication bypass), and are then placed in vlan 10. After the users log in, they are placed into a different vlan based on user's AD group membership. The actual vlan switch works fine, and the users always end up in the right vlan. The drives, however, aren't always there. The user's home drive is mapped via the Home Folder in the users' properties in AD, and the rest of the drives (staff data, etc.) are mapped via a group policy log on script. Drives mapped via GP are almost always mapped, but drives mapped via AD properties are missing much more often. The drives can be manually accessed from all of the vlans. There are no errors on the NPS side, and the only errors I can see in the event viewer are DHCPNack messages (The IP address lease 10.42.13.xx for the Network Card with network address 0x has been denied by the DHCP server 10.42.10.xx). Does anyone have any advice or a possible solution? Any info would be much appreciated.
Here's how authentication is set up locally:
Here's the config for the port:
Thanks,
Nikita
We are having issues with inconsistent drive mapping after vlan change. The client computers (running Windows 7) first authenticate against our NPS server (using mac authentication bypass), and are then placed in vlan 10. After the users log in, they are placed into a different vlan based on user's AD group membership. The actual vlan switch works fine, and the users always end up in the right vlan. The drives, however, aren't always there. The user's home drive is mapped via the Home Folder in the users' properties in AD, and the rest of the drives (staff data, etc.) are mapped via a group policy log on script. Drives mapped via GP are almost always mapped, but drives mapped via AD properties are missing much more often. The drives can be manually accessed from all of the vlans. There are no errors on the NPS side, and the only errors I can see in the event viewer are DHCPNack messages (The IP address lease 10.42.13.xx for the Network Card with network address 0x has been denied by the DHCP server 10.42.10.xx). Does anyone have any advice or a possible solution? Any info would be much appreciated.
Here's how authentication is set up locally:
Cache user information for subsequent connections to this network is enabled
Authentication Mode: User authentication
Maximum Authentication Failures: 2
Maximum EAPOL-Start Messages Sent: Not setup
Held Period (seconds): Not setup
Start Period (seconds): Not setup
Authentication Period (seconds): Not setup
Single Sign On: Before user logon
Maximum acceptable delay for network connectivity: 10
This network uses different VLAN for authentication with machine and user credentials is enabled
Allow additional dialogs during single sign on is disabled
Fast Reconnect is disabled
Authentication method is PEAP-MSCHAP V2
Here's the config for the port:
switchport mode access
authentication control-direction in
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
Thanks,
Nikita
ASKER
Spanning-tree portfast is enabled, and changing the authentication order didn't make a difference.
I've considered modifying the script, but I want to see if I can make our current set up work first. Is there a way to tell the computer to do a dhcp discover right after vlan change? That way the computer isn't requesting its old IP address on the new VLAN.
I've considered modifying the script, but I want to see if I can make our current set up work first. Is there a way to tell the computer to do a dhcp discover right after vlan change? That way the computer isn't requesting its old IP address on the new VLAN.
You can watch the DHCP requests if you have a packet cpature tool like Wireshark or MS network monitor, either by installing it on the PC or via a port monitor session on the switch. And if you have logging enabled on the DHCP server, the requests should be logged there as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Changing the way we map drives fixed the problem.
And, if possible, can the AD mapped drives be mapped by a login script that checks the IP address and then tries to map the drives if an IP inside VLAN 10 is detected? If this script could be set to run in a 5 second loop for 5 minutes at login, then it would wait until the correct IP is present, then map the drives, and then exit. I belive this is a common method used in environments that have a NAC solution.