Solved: RADIUS CoA Port Bounce query

andrewswanson · ‎01-20-2015

Hello

I have a question relating to RADIUS CoA Port Bounce.

I'm planning to deploy 802.1x with ISE 1.3 to:

802.1x authenticate corporate desktop PCs (with anyconnect client installed for user and machine authentication) - on successful machine authentication, ISE will dynamically assign a VLAN
Profile Cisco IP phones

In order for an authenticated corporate desktop to pick up an IP address on its dynamically assigned VLAN I was thinking of using CoA Port Bounce. If this desktop was connecting through a successfully profiled Cisco IP phone, am I right in saying that the resulting Port Bounce will also affect the phone (phone will de-register from callmanager)?

Thanks
Andy

nspasov · ‎01-20-2015

Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.

Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:

1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access

2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices

My recommendation is to go with option #1 though as that has always worked for me.

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎01-20-2015

Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.

Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:

1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access

2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices

My recommendation is to go with option #1 though as that has always worked for me.

I hope this helps!

Thank you for rating helpful posts!

andrewswanson · ‎01-20-2015

Hi Neno. Thanks for the reply. Option 1 with dACLs was my initial thought for this but the size of the dACLs may cause issues with TCAM utilization - the deployment will be on Instant Access with around 1000 clients. I'll test both dACLs and dynamic vlan assignment and see what best suits but at least I can also rule out CoA for this.

Thanks again

Andy

nspasov · ‎01-20-2015

Try keeping the dACLs small by using more generic statements. Also, if you need a very complex segregation then you could perhaps look into TrustSec/SGA/SGT.