The Moose and Squirrel Files

August 31, 2008

802.1x and Wake on LAN

Filed under: Network — Tags: , — networknerd @ 4:04 pm

The 802.1x standard makes allowances for WOL by allowing port control to be uni-directional or bidirectional.

The real problem occurs when you configure cisco switches to use auth fail vlans, and guest vlans. These are designed for computers that fail authentication, or don’t have a supplicant respectively. The interface commands would be something like this.

switchport access vlan 900

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x guest-vlan 999

dot1x auth-fail vlan 999

Now when a port has this type of config and the computer is turned off there is a very brief link state transition which causes the port to become unauthenticated. The switch will attempt to start authentication a number of times before timing out and placing the port into the auth fail/guest vlan.

Now most management software like SMS keeps an inventory of the PC’s mac address and last known ip address.  The WOL magic packets are sent to the broadcast address of the network where the PC was last known.  All good except that the network card is now listening in the auth fail/guest vlan.  The WOL packets will never reach the intended destination.

I wish that I could say I had a brilliant solution, but unfortunately I only have a workaround that depends entirely on what wakeup product you have.

The workaround is to follow/tail the logs generated by your management software’s wakeup package and extract the mac address and the IP address.  By performing a little math/scripting manipulation you can then execute a separate WOL destined for the mac address and the authfail/guest network.

I use MC-WOL, but any wake-on-lan utility will do. Obviously every network will be different, and the math you use to perform the broadcast IP address transform depends on your network structure.  If the subnetting is consistent it will be simple.  If not then it may pay to pre-fill a dictionary/hash and perform a lookup.

For SMS-Wakeup (an addon from 1E for M$’s SMS) the log files look like

9/5/2007 14:01:36: send_magicpkt (03) for broadcast on [00:40:CA:69:34:EE]

and we can use a simple vbscript filter to read the tailed output from the logfile and do the transform.  I used the code below  with the tail utility in the windows resource kit for my proof of concept. Whatever you do make sure to check behaviour of your code when the log file rolls over.  NetIQ security manager has the ability to tail text logs, parse them and execute programs in response to an event.  It also handles log rollovers gracefully. In my case using NetIQ was a no-brainer, but it really shouldn’t be that difficult to customise code to suit your environment.

option explicit
Const IP_PARAM = 5
Const MAC_PARAM = 9
dim strLine,strArray,item,ip_addr,octets,strMAC,WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
Do While Not wscript.StdIn.AtEndOfStream
  strLine = wscript.stdin.readline
  if (instr(1,strLine,"send_magicpkt")> 0) then
    strArray = split(strLine)
    octets = split(strArray(IP_PARAM),".")
    octets(2) = octets(2) + 3 'perform the IP address transform to get the guest network
    octets(3) = 127               'broadcast address
    ip_addr = join(octets,".")
  end if
  strMAC = mid(strArray(MAC_PARAM),2,17) 'remove leading '[' and trailing ']' "mc-wol "  & strMAC & " /a " & ip_addr

Create a free website or blog at