topic Dynamic vlan - Behavor in Network Access Control

Dynamic vlan - Behavor

athan1234 — Fri, 08 Apr 2022 11:02:29 GMT

Hi there

I was reading about dynamic vlan on ISE. I am confused about the behavior of it

I have on ISe 4 groups/AD by dynamic vlan. Sometimes some users find it difficult to join to the network but not always, . I was read that dynamic vlan is not highly recommended because it is mandated to configure a default vlan. When the GPO pushes the ISE, it breaks the protocol ( can't understand this part). As well could there be a problem with the DHCP , I guess it will be for the DHCP it has a lease and it tries to get the IP VLAN by default, although . I read days ago a articule it siad the supplicant" endpoint" with Windows Servipack 2 is very smart no there is any change on the network arround 8021.x, it always assigns the same IP.

In my switch All of those ports have the same vlan name "external" . If an external user is connected each ports, he will gets the external connection when these users do not have any certificates. For this reason, they will go into policy for external Users. The rest user of the domain deppending AD group will obtein theirs vlan

My questions are:

Is there any solution to avoid this? It almost never happens, but when it does, the user is angry.

Re: Dynamic vlan - Behavor

Mike.Cifelli — Fri, 08 Apr 2022 11:24:03 GMT

When the GPO pushes the ISE, it breaks the protocol ( can't understand this part).

-Not following what you mean here. Take a look here:

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Specifically at 'Dynamic VLAN Assignment' section. HTH!

Re: Dynamic vlan - Behavor

Arne Bier — Mon, 11 Apr 2022 05:00:00 GMT

I try o stay away from Dynamic VLAN assignment on wired LAN because the end devices don't handle it well. Once the Ethernet link is up, and then you switch the VLAN on the switch port, the client can't know that you have done this. So how can it tell its IP stack to ask for new DHCP?

Windows has a solution for this when using the Wired 802.1X supplicant - there is a small checkbox in the supplicant config to make the supplicant "VLAN switching aware" - it's an extra DHCP "reset" that happens in that case to sort out the IP stack.

You find it under the Windows Wired supplicant Advanced Settings, under the "Enable single sign on for this network" and then tick the box "This network uses separate LANs for machine and user authentication"

I have used this with a customer who was doing 802.1X EAP-PEAP user authentication - each user was potentially put on a different VLAN depending on their AD Group. When user logs off, then Computer authentication happens, and also that put the PC into a default data VLAN (for group policy config purposes etc.) - again, a dynamic VLAN switch would trigger a DHCP reset because the supplicant was configured to do so.

Re: Dynamic vlan - Behavor

athan1234 — Mon, 11 Apr 2022 07:41:47 GMT

Hello @Arne Bier , and thank you for your response.It's a huge help.

I'd like to ask you a question about it.
Imagine the user must change his or her password or exit the domain and re-enter it.
He'll need to connect to the default vlan in order to reach the AD . These checks will make it more difficult for the user to obtain the VLAN by default on the siwitch in order to reach AD?

Best

Re: Dynamic vlan - Behavor

Arne Bier — Mon, 11 Apr 2022 09:45:30 GMT

I would say that whichever VLAN is used for users and Computers (boot up) should have IP reachability to AD domain controllers. Not sure why one would not have that. I have not tested it but I am fairly sure that if a user has logged on successfully and then resets their domain password with ctrl-alt-del then there is no network event. This means user stays on same vlan. VLAN change can only happens during logon and logoff.

Re: Dynamic vlan - Behavor

athan1234 — Mon, 11 Apr 2022 11:06:27 GMT

Yes you are right . Thanks for everything

Re: Dynamic vlan - Behavor

Massimo Baschieri — Tue, 12 Apr 2022 04:29:26 GMT

I've always been curious to know the meaning of the "Enable single sign on for this network" option on windows supplicant and never found an exhausitve explanation, do you know the impact on the authentication process of this option?

Re: Dynamic vlan - Behavor

Arne Bier — Tue, 12 Apr 2022 05:17:44 GMT

I have also been curious about this and I have never lab'd it up enough to know what happens under the covers. I spent hours searching Microsoft documents on this and I never got the feeling that any of it made sense.

But the VLAN switch works as advertised.