[mkeca]

Hello!

I'm trying to implement 802.1x with CP Integrity.
For 802.1x I'm using Cisco switches with Cisco ACS. Users are
authenticated from Windows Active Directory. Supplicant is built-in
Windows XP supplicant with PEAP and Machine authentication.
To fix a bug in PEAP supplicant, I had to manually set two registry entries:
HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal\AuthMode to 1
HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal\SupplicantMode to 3
When user is authenticated he is dynamically put in appropriate VLAN.
This setup works like a charm without CP Integrity agent.

CP Integrity agent is configured for user by AD Groups membership. When
I install Integrity agent I have some issues with user policies
depending on VLAN assigment. If the user is put in same VLAN in which is
put computer after machine authentication everything works fine. If the
user is put in different VLAN user policies are not downloaded correctly
and in the log I can find next errors:
ACCESS,2008/01/23,16:43:32 +1:00 GMT,Generic Host Process for Win32
Services was blocked from accepting a connection from the local zone
(10.10.0.51:DNS).,N/A,N/A

Address 10.10.0.51 is DC. With DNS and DHCP services.

My doubts are:
Can CP Integrity work well with dynamic VLAN assigment and what should
be done to make that work?
Integrity changes registry entry:
HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal\SupplicantMode to 2
That I have to reset manually to 3. Is it a problem if that value is 3 instead of 2 which is installation default?

Tnx!

Marko