Link to home
Start Free TrialLog in
Avatar of Robert Davis
Robert Davis

asked on

Inconsistent drive mapping during vlan change

Hello all,

We are having issues with inconsistent drive mapping after vlan change. The client computers (running Windows 7) first authenticate against our NPS server (using mac authentication bypass), and are then placed in vlan 10. After the users log in, they are placed into a different vlan based on user's AD group membership. The actual vlan switch works fine, and the users always end up in the right vlan. The drives, however, aren't always there. The user's home drive is mapped via the Home Folder in the users' properties in AD, and the rest of the drives (staff data, etc.) are mapped via a group policy log on script. Drives mapped via GP are almost always mapped, but drives mapped via AD properties are missing much more often. The drives can be manually accessed from all of the vlans. There are no errors on the NPS side, and the only errors I can see in the event viewer are DHCPNack messages (The IP address lease 10.42.13.xx for the Network Card with network address 0x has been denied by the DHCP server 10.42.10.xx). Does anyone have any advice or a possible solution? Any info would be much appreciated.

Here's how authentication is set up locally:
Cache user information for subsequent connections to this network is enabled 	
Authentication Mode: User authentication 	
Maximum Authentication Failures: 	2
Maximum EAPOL-Start Messages Sent: 	Not setup	
Held Period (seconds): 	Not setup	
Start Period (seconds): 	Not setup	
Authentication Period (seconds): 	Not setup
Single Sign On: Before user logon
Maximum acceptable delay for network connectivity: 10 	
This network uses different VLAN for authentication with machine and user credentials is enabled 
Allow additional dialogs during single sign on is disabled
Fast Reconnect is disabled
Authentication method is PEAP-MSCHAP V2

Open in new window


Here's the config for the port:
 switchport mode access
 authentication control-direction in
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator

Open in new window


Thanks,
Nikita
Avatar of eeRoot
eeRoot

I assume the issue is that the PC is trying to map the drives before being connected to the correct VLAN.  Make sure that the switch ports have the "spanning-tree portfast" command (or your switch vendor's equivalent) & try changing the "authentication order mab dot1x" command to "authentication order dot1x mab."
   And, if possible, can the AD mapped drives be mapped by a login script that checks the IP address and then tries to map the drives if an IP inside VLAN 10 is detected?  If this script could be set to run in a 5 second loop for 5 minutes at login, then it would wait until the correct IP is present, then map the drives, and then exit.  I belive this is a common method used in environments that have a NAC solution.
Avatar of Robert Davis

ASKER

Spanning-tree portfast is enabled, and changing the authentication order didn't make a difference.
I've considered modifying the script, but I want to see if I can make our current set up work first. Is there a way to tell the computer to do a dhcp discover right after vlan change? That way the computer isn't requesting its old IP address on the new VLAN.
You can watch the DHCP requests if you have a packet cpature tool like Wireshark or MS network monitor, either by installing it on the PC or via a port monitor session on the switch.  And if you have logging enabled on the DHCP server, the requests should be logged there as well.
ASKER CERTIFIED SOLUTION
Avatar of Robert Davis
Robert Davis

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Changing the way we map drives fixed the problem.