The Moose and Squirrel Files

August 31, 2008

802.1x and Wake on LAN

Filed under: Network — Tags: , — networknerd @ 4:04 pm

The 802.1x standard makes allowances for WOL by allowing port control to be uni-directional or bidirectional.

The real problem occurs when you configure cisco switches to use auth fail vlans, and guest vlans. These are designed for computers that fail authentication, or don’t have a supplicant respectively. The interface commands would be something like this.

switchport access vlan 900

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x guest-vlan 999

dot1x auth-fail vlan 999

Now when a port has this type of config and the computer is turned off there is a very brief link state transition which causes the port to become unauthenticated. The switch will attempt to start authentication a number of times before timing out and placing the port into the auth fail/guest vlan.

Now most management software like SMS keeps an inventory of the PC’s mac address and last known ip address.  The WOL magic packets are sent to the broadcast address of the network where the PC was last known.  All good except that the network card is now listening in the auth fail/guest vlan.  The WOL packets will never reach the intended destination.

I wish that I could say I had a brilliant solution, but unfortunately I only have a workaround that depends entirely on what wakeup product you have.

The workaround is to follow/tail the logs generated by your management software’s wakeup package and extract the mac address and the IP address.  By performing a little math/scripting manipulation you can then execute a separate WOL destined for the mac address and the authfail/guest network.

I use MC-WOL, but any wake-on-lan utility will do. Obviously every network will be different, and the math you use to perform the broadcast IP address transform depends on your network structure.  If the subnetting is consistent it will be simple.  If not then it may pay to pre-fill a dictionary/hash and perform a lookup.

For SMS-Wakeup (an addon from 1E for M$’s SMS) the log files look like

9/5/2007 14:01:36: send_magicpkt (03) for broadcast on [00:40:CA:69:34:EE]

and we can use a simple vbscript filter to read the tailed output from the logfile and do the transform.  I used the code below  with the tail utility in the windows resource kit for my proof of concept. Whatever you do make sure to check behaviour of your code when the log file rolls over.  NetIQ security manager has the ability to tail text logs, parse them and execute programs in response to an event.  It also handles log rollovers gracefully. In my case using NetIQ was a no-brainer, but it really shouldn’t be that difficult to customise code to suit your environment.

option explicit
Const IP_PARAM = 5
Const MAC_PARAM = 9
dim strLine,strArray,item,ip_addr,octets,strMAC,WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
Do While Not wscript.StdIn.AtEndOfStream
  strLine = wscript.stdin.readline
  if (instr(1,strLine,"send_magicpkt")> 0) then
    strArray = split(strLine)
    octets = split(strArray(IP_PARAM),".")
    octets(2) = octets(2) + 3 'perform the IP address transform to get the guest network
    octets(3) = 127               'broadcast address
    ip_addr = join(octets,".")
  end if
  strMAC = mid(strArray(MAC_PARAM),2,17) 'remove leading '[' and trailing ']' "mc-wol "  & strMAC & " /a " & ip_addr


  1. Hello all,

    just in case anyone is interested, I just wrote an application (that can be run as as service) which monitor the 1E SMSWakeUP Log file and WOL PC that are shutdown using directed broadcast.

    When there are logs entry showing IP, subnet and mac addresses, the application detect the information and based on a list of networks it knows (configurable), obtain the actual broadcast address to send the WOL magic packet to.

    I also have been in contact with 1E so that they actually come up with a solution for this problem. If more people contact them, this will speed up the process of actually getting an update.

    I will monitor this list if anyone is interested.

    Comment by Yvon — February 13, 2009 @ 12:59 pm

  2. We’re trying to configure 802.1x and WOL with the exact scenario above. With a guest/auth vlan with not much success. We also do happen to use 1E’s product. Any ideas if we can configure the switch to allow magic packets to arrive to a port regardless of the port status? (Assuming the PC is in a power off state). If not then we would have to look at a work around like above.


    Comment by John — November 8, 2010 @ 10:28 am

    • Hello John,
      At the time I was wrestling with this one we put in a “Request For Enhancement” to 1E and I believe that they now support 802.1x. I’m told that it wasn’t implemented in the manner we hoped so I haven’t really delved into it much more. It may be the quickest way if you have 1E already. Another method that was suggested to me was to use a cisco router using integrated bridging and routing between two switch ports. You could apply an access list on the guest side to drop all packets and an access list to drop all but wakeup packets on the authenticated side. I didn’t try this one as it seemed to be one config error away from a disaster, athough it is sound in theory.

      As far as I know there is no way to configure the switch to handle magic packets when you have aguest/auth fail vlan configured.

      Comment by networknerd — November 9, 2010 @ 6:01 am

      • Hello John,

        Can you explain what you mean by “Any ideas if we can configure the switch to allow magic packets to arrive to a port regardless of the port status?”

        If I remember well (as we kind of put that on ice) “dot1x control-direction in” is the important command here. It let everything go to the connected device (PC) but only dot1x packets can come to the switch until authenticated. So once your device has woken up, it must authenticate to 1x in order for the switch to move it to the proper vlan.

        As mentioned in my above post, I have been able to wake up PC that are moved to different vlan because of 1x using directed broadcast. The problem with the old 1E software was that it tried to send broadcast packets to the “last seen” network of a given PC. Our guy working with sms sent me the new 1E product update information but I have not given it much attention on how it is implemented.


        Comment by yvon — November 9, 2010 @ 10:41 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: