Strange 802.1x issue

Started by config t, November 03, 2021, 08:35:09 PM

Previous topic - Next topic

Otanx

Quote from: config t on November 05, 2021, 08:55:16 PM
I saw today during dynamic VLAN assignment testing using CoA that while we can indeed push the VLAN change the host will not grab the new IP unless the port is bounced first. Messy. What if there is a PoE device on the other side? The end user needs to wait until the phone reboots before they can re-auth and get back on the network? Admittedly I don't yet fully understand the CoA process yet.

Yep, changing VLANs is doable. Changing subnets does not always work. When we looked at it there was a third party supplicant that could handle it, but I don't remember which. Basically it did a ipconfig /release and ipconfig /renew on the client. This is why we went with using ACLs instead. We do push VLAN change upon auth, but the default vlan has no dhcp. Then once authenticated the host gets moved to the prod VLAN, and an ACL gets applied to give them access.

-Otanx

deanwebb

Where 911 is required, we don't bounce ports. We just *don't*. That's where non-dot1x NAC comes into play.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.