https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083439#M25971 <P>Thanks Marvin,</P> <P></P> <P>That's what it looks like to me too, so I'm just going to have to remove CoA and say "basic auth only</P> <P></P> <P>Thanks for your feedback</P> <P></P> <P>Cheers,</P> <P>john</P> Thu, 22 Jun 2017 20:49:28 GMT johncaston_2 2017-06-22T20:49:28Z https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083437#M25961 <P>We have an unusual situation whereby we are supplying LAN as a managed service but will allow clients to control port security via 802.1X</P> <P></P> <P>Although I can get this working fine, we're concerned that there's nothing stopping the client changing the port to our management VLAN - unless we disable CoA completely.</P> <P></P> <P>Ideally what I'd like to do is just have something to prevent them from selecting VLAN 100.</P> <P>I've done some research but haven't been able to find a simple method to do this other than applying an L3 ACL somewhere else on the network</P> <P></P> <P>Switch type that we're using is the 2960X</P> <P></P> <P>Any thoughts?</P> <P></P> <P>Cheers,</P> <P>John</P> Mon, 11 Mar 2019 07:48:09 GMT https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083437#M25961 johncaston_2 2019-03-11T07:48:09Z https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083438#M25962 <P>AFAIK you cannot restrict CoA that way.</P> <P>Once you allow the RADIUS server to initiate changes it has complete control (within the scope of what A-V pairs are supported of course).</P> Wed, 21 Jun 2017 02:59:48 GMT https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083438#M25962 Marvin Rhoads 2017-06-21T02:59:48Z https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083439#M25971 <P>Thanks Marvin,</P> <P></P> <P>That's what it looks like to me too, so I'm just going to have to remove CoA and say "basic auth only</P> <P></P> <P>Thanks for your feedback</P> <P></P> <P>Cheers,</P> <P>john</P> Thu, 22 Jun 2017 20:49:28 GMT https://community.cisco.com/t5/network-access-control/wired-802-1x-and-restricting-vlan-assignment/m-p/3083439#M25971 johncaston_2 2017-06-22T20:49:28Z