cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
0
Helpful
1
Replies

How do I get dynamic vlan switching with 802.1x working with Microsoft?

kevoconn
Level 1
Level 1

Why dynamic VLAN switching with 802.1X authentication is not supported in this scenrio?

The 802.1X authentication process and the Winlogon process are two distinct processes that are not interrelated. Both these processes occur regardless of the state of the other. In dynamic VLANs, the client computer is given a valid IP address when the computer starts. When the user logs on to the computer, the 802.1X authentication process and the Winlogon process occur at the same time. First, the network connection is reauthenticated by using the user credentials. If the authentication is successful, the dynamic VLAN switch or the access point moves the client computer to a new VLAN. However, exactly at the same time, the Winlogon process is validating a domain controller. Additionally, the Winlogon process tries to obtain GPOs, logon scripts, and roaming profiles from the domain controller. When VLANs are switched, the Winlogon process is interrupted, and the process does not restart.

https://support.microsoft.com/en-u kb s/kb/2826201

1 Accepted Solution

Accepted Solutions

Cory Peterson
Level 5
Level 5

Using Dynamic VLANs with the Native windows client is not recommended as the Microsoft client does not play well with the VLANs switching. The native client never senses that the VLAN changes and there for never requests a new IP address. Unless you run a release/renew manually.

It is recommended to use dACLs to segregate traffic when using the native windows client. Your other option is to use the Cisco Anyconnect NAM client as this will initiate a release and renew of the IP address when the VLAN (CoA) happens.

There are some options to turn on a web applet when using the portals but I have ran in to many issues with this java applet not working or locking up while trying to run. For this reason I would recommend against it.

View solution in original post

1 Reply 1

Cory Peterson
Level 5
Level 5

Using Dynamic VLANs with the Native windows client is not recommended as the Microsoft client does not play well with the VLANs switching. The native client never senses that the VLAN changes and there for never requests a new IP address. Unless you run a release/renew manually.

It is recommended to use dACLs to segregate traffic when using the native windows client. Your other option is to use the Cisco Anyconnect NAM client as this will initiate a release and renew of the IP address when the VLAN (CoA) happens.

There are some options to turn on a web applet when using the portals but I have ran in to many issues with this java applet not working or locking up while trying to run. For this reason I would recommend against it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: