10-31-2019 09:41 PM
I have a customer with the following requirements. Can someone help to see if I'm doing it right?
Would like to check if below is the correct way to deploy? I've heard that MAB does not work with CoA.
• Client to disable the Windows Wired Autoconfig service (802.1x) so that the client will be subjected to MAB.
• Posture check using anyconnect will kick in next. If posture pass, CoA will be done to change the VLAN to production VLAN. If posture fails, COA will be done to change the VLAN to remediation VLAN.
Solved! Go to Solution.
11-04-2019 06:58 AM
The issue is not MAB, but actually just client functionality.
When you do a VLAN change, the client does not see a network change. The line never goes down, so the client never requests for another IP address.
I typically recommend people start on the vlan they want to END with.
So, in your case, start on the production VLAN but use a port ACL that limits all access but DHCP, domain, and ISE.
If posture check is good, then send an ACL and open up access.
If posture check is bad, you can send them to another vlan as "quarantine" but the client wont realize it has or does not have IP access.
Another way you can do it is to put a startup script on the computer that checks connectivity to a server for X amount of time. As soon as it loses that connectivity force a DHCP refresh to get an IP on the remediation vlan.
There is also something called the network transition delay timer, though I do not remember the ins and outs of it:
11-01-2019 08:14 AM
MAB works with CoA. However MAB doesn't work well with VLAN change after CoA. With MAB the endpoint is unaware of CoA and it will not renew IP, which is core of the problem. If using AnyConnect Posture module, it does have few options to address it, but as a best practice we don't recommend MAB with VLAN change.
I don't believe Posture works with pure MAB. You will need to tie MAB with either passive-ID (Easy Connect) or webauth to have real username for it to work.
11-04-2019 12:10 AM
We'll be using the AnyConnect Posture module. What are the few options that might work?
11-04-2019 06:58 AM
The issue is not MAB, but actually just client functionality.
When you do a VLAN change, the client does not see a network change. The line never goes down, so the client never requests for another IP address.
I typically recommend people start on the vlan they want to END with.
So, in your case, start on the production VLAN but use a port ACL that limits all access but DHCP, domain, and ISE.
If posture check is good, then send an ACL and open up access.
If posture check is bad, you can send them to another vlan as "quarantine" but the client wont realize it has or does not have IP access.
Another way you can do it is to put a startup script on the computer that checks connectivity to a server for X amount of time. As soon as it loses that connectivity force a DHCP refresh to get an IP on the remediation vlan.
There is also something called the network transition delay timer, though I do not remember the ins and outs of it:
11-04-2019 05:04 PM
Thanks John! Your suggestion of using port ACL should work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide