Article ID: 935638 - View products that this article applies to.
Consider the following scenario:
This problem occurs because dynamic VLAN switching is not supported when it is used together with 802.1X authentication.
Note We highly recommend that you do not use roaming profiles together with 802.1X authentication.
Why dynamic VLAN switching is not supported when it is used together with 802.1X authenticationThe 802.1X authentication process and the Winlogon process are two distinct processes that are not interrelated. Both these processes occur regardless of the state of the other. In dynamic VLANs, the client computer is given a valid IP address when the computer starts. When the user logs on to the computer, the 802.1X authentication process and the Winlogon process occur at the same time. First, the network connection is reauthenticated by using the user credentials. If the authentication is successful, the dynamic VLAN switch or the access point moves the client computer to a new VLAN. However, exactly at the same time, the Winlogon process is validating a domain controller. Additionally, the Winlogon process tries to obtain GPOs, logon scripts, and roaming profiles from the domain controller. When VLANs are switched, the Winlogon process is interrupted, and the process does not restart.
Why we do not recommend that you use roaming profiles together with 802.1X authenticationIf you use a computer certificate or a user certificate that resides in the roaming profile, and if the roaming profile becomes too large, you may experience problems when you try to authenticate the user. You cannot authenticate the user because you do not have the certificate yet. You have to download the roaming profile to gain access to the certificate. If the roaming profile is small, you can download it quickly. However, if the roaming profile exceeds a size of 10 megabytes (MB), you experience problems.
Article ID: 935638 - Last Review: September 14, 2007 - Revision: 2.1