cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

823
Views
10
Helpful
7
Replies
athan1234
Beginner

Dynamic vlan - Behavor

Hi there

I was reading about dynamic vlan on ISE. I am confused about the behavior of it

I have  on ISe 4 groups/AD  by  dynamic vlan. Sometimes some users find it difficult to join to the network  but not always, . I was read that dynamic vlan is not highly recommended because it is mandated to configure a default vlan. When the GPO pushes the ISE, it breaks the protocol ( can't understand this part). As well could there be a problem with the  DHCP , I guess it will be for the DHCP it has a  lease and  it tries to get the  IP VLAN by default, although . I read days ago a articule it siad the  supplicant" endpoint" with Windows Servipack 2 is very smart  no  there is any change on the network arround 8021.x, it always assigns the same IP.


In my switch All of those ports have the same vlan name  "external" . If an external user is connected each ports, he will  gets the external connection when these users do not have any certificates. For this reason, they will go into policy for external Users. The rest user of the domain deppending AD group will obtein theirs vlan

My questions are:

Is there any solution to avoid this? It almost never happens, but when it does, the user is angry.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Mike.Cifelli
VIP Advisor

When the GPO pushes the ISE, it breaks the protocol ( can't understand this part). 

-Not following what you mean here.  Take a look here:

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Specifically at 'Dynamic VLAN Assignment' section.  HTH!

View solution in original post

Arne Bier
VIP Advisor

I try o stay away from Dynamic VLAN assignment on wired LAN because the end devices don't handle it well. Once the Ethernet link is up, and then you switch the VLAN on the switch port, the client can't know that you have done this. So how can it tell its IP stack to ask for new DHCP?  

Windows has a solution for this when using the Wired 802.1X supplicant - there is a small checkbox in the supplicant config to make the supplicant "VLAN switching aware" - it's an extra DHCP "reset" that happens in that case to sort out the IP stack.

You find it under the Windows Wired supplicant Advanced Settings, under the "Enable single sign on for this network" and then tick the box "This network uses separate LANs for machine and user authentication"

 

I have used this with a customer who was doing 802.1X EAP-PEAP user authentication - each user was potentially put on a different VLAN depending on their AD Group. When user logs off, then Computer authentication happens, and also that put the PC into a default data VLAN (for group policy config purposes etc.) - again, a dynamic VLAN switch would trigger a DHCP reset because the supplicant was configured to do so.

View solution in original post

7 REPLIES 7
Mike.Cifelli
VIP Advisor

When the GPO pushes the ISE, it breaks the protocol ( can't understand this part). 

-Not following what you mean here.  Take a look here:

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Specifically at 'Dynamic VLAN Assignment' section.  HTH!

Arne Bier
VIP Advisor

I try o stay away from Dynamic VLAN assignment on wired LAN because the end devices don't handle it well. Once the Ethernet link is up, and then you switch the VLAN on the switch port, the client can't know that you have done this. So how can it tell its IP stack to ask for new DHCP?  

Windows has a solution for this when using the Wired 802.1X supplicant - there is a small checkbox in the supplicant config to make the supplicant "VLAN switching aware" - it's an extra DHCP "reset" that happens in that case to sort out the IP stack.

You find it under the Windows Wired supplicant Advanced Settings, under the "Enable single sign on for this network" and then tick the box "This network uses separate LANs for machine and user authentication"

 

I have used this with a customer who was doing 802.1X EAP-PEAP user authentication - each user was potentially put on a different VLAN depending on their AD Group. When user logs off, then Computer authentication happens, and also that put the PC into a default data VLAN (for group policy config purposes etc.) - again, a dynamic VLAN switch would trigger a DHCP reset because the supplicant was configured to do so.

Hello @Arne Bier , and thank you for your response.It's a huge help.


I'd like to ask you a question about it.
Imagine  the user must change his or her password or exit the domain and re-enter it.
He'll need to connect to the default vlan in order to reach the AD . These checks will make it more difficult for the user to obtain the VLAN by default on the siwitch  in order to reach AD?

 
Best

I would say that whichever VLAN is used for users and Computers (boot up) should have IP reachability to AD domain controllers. Not sure why one would not have that. I have not tested it but I am fairly sure that if a user has logged on successfully and then resets their domain  password with ctrl-alt-del then there is no network event. This means user stays on same vlan. VLAN change can only happens during logon and logoff. 

Yes you are right . Thanks for everything

 

I've always been curious to know the meaning of the "Enable single sign on for this network" option on windows supplicant and never found an exhausitve explanation, do you know the impact on the authentication process of this option?

I have also been curious about this and I have never lab'd it up enough to know what happens under the covers. I spent hours searching Microsoft documents on this and I never got the feeling that any of it made sense.

 

But the VLAN switch works as advertised.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube