Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
0
Helpful
1
Replies

COA to Change Endpoint VLAN when Posture status is Compliant, MacOS does not refresh IP.

Go to solution
Nate Zhang
Cisco Employee
Cisco Employee

‎06-29-2019 11:41 PM

Experts,

 

We would like to assign different Vlan when Posture checking results to Compliant or Non-compliant as below.

 

Posture Compliant ---> AuthZ profile Vlan100 (10.1.1.0/24)

Posture Non-compliant or Posture Unknown ---> AuthZ profile Vlan200 (10.1.2.0/24)

 

On Windows (we are using NAM as the supplicant), everything seems works fine and the call flow is;

Endpoint onboard ->> Endpoint gets an IP in 10.1.2.0/24 (because of endpoint belongs to Unknown before/during posture check) -->> Posture completed and confirm Compliant -->> Endpoint refresh new IP to 10.1.1.0/24

 

The issue is on MacOS in the last step. MacOS somehow never refreshes his IP address.

The question is 'Is it not something commonly used?'. 

 

I have gone through some online articles and understand we could use dACL or SGT to achieve limiting the non-compliant device talks to Internal resources. Just want to confirm if this depends on endpoint behavior or something we should change on ISE or WLC/Switch.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎06-29-2019 11:50 PM

This behaviour depends on the end supplicant. Typically when you change the VLAN on the fly, supplicant will not be aware of the VLAN change and may never refresh the IP address. NAM has a periodic check done to identify VLAN changes by pinging the default gateway/ARP requests and if it recognizes a change in the VLAN, it signals the OS to change the IP address. If I were you, I would rather uses dACLs and SGTs since they do not have any dependency on the supplicants. Also, try changing the AnyConnect Posture Profile value of “Ping or ARP” under IP Address Change to ARP and see if it helps.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎06-29-2019 11:50 PM

This behaviour depends on the end supplicant. Typically when you change the VLAN on the fly, supplicant will not be aware of the VLAN change and may never refresh the IP address. NAM has a periodic check done to identify VLAN changes by pinging the default gateway/ARP requests and if it recognizes a change in the VLAN, it signals the OS to change the IP address. If I were you, I would rather uses dACLs and SGTs since they do not have any dependency on the supplicants. Also, try changing the AnyConnect Posture Profile value of “Ping or ARP” under IP Address Change to ARP and see if it helps.
0 Helpful
Customers Also Viewed These Support Documents