Re: Vlan Change Detection

ryanbess · ‎07-03-2025

Hello,

As part of our endpoints getting full access, they first go into a limited network VLANs. Only once posture is passed do we move them into a vlan with full network access. Computers have been doing this no problem for some time. Yesterday we just happened to notice that client computers could not ping their gateway's cause of some SGT Matrix config that we did not know were there. This got us thinking about how our Windows clients have been able to move between VLANs? Below is our configs. Can anyone shed some light on how Windows has been working?

MHM Cisco World · ‎07-03-2025

The PC can not auto assign vlan

The SW manually or via AAA can assign vlan

So dis you check if authentication session correctly assign vlan to port ?

MHM

ryanbess · ‎07-03-2025

Step 1: computer plugs in, it gets authenticated and authorized.

Step 2: ISE tells switch put computer on restricted vlan

Step 3: User signs in and passes posture

Step 4: ISE tells switch, change vlan

Step 5: This will require the client to know that the VLAN changed so it so it can get a new DHCP address

The question is with the current configs (see previous print screen) how is step 5 working?

MHM Cisco World · ‎07-03-2025

CoA have two way to config

1- ISE ask SW to only re-auth endpoint

Here vlan will not change abd PC no need to ask IP again

2- ISE send to SW to bounce interface' here the endpoint will see port up and down and will ask new IP via DHCP

So it depends on how you config CoA

MHM

Rob Ingram · ‎07-03-2025

@ryanbess you have "Enable IP refresh" enabled, so ISE sends DHCP release and renew values to the agent, and the agent does an IP refresh to retrieve the latest IP address.

Why over complicate the design and place the devices in a different VLAN to begin with if using TrustSec SGTs? With TrustSec, initially just assign an SGT "Unknown Compliance" with an SGACL that limits access, once compliance status is determined send a CoA and apply a different SGT which subsequently would match different SGACL, all within the same VLAN. That's one of the benefits of using TrustSec.

ryanbess · ‎07-03-2025

We have reasons but i hear you. An example is we want our endpoints to be able to communicate to defined URLs when when in a non postured state. Yes, you could state well just propagate SGT's to your firewall. Tried it and our firewall vendor has an issue with SGTs changing state. For these reasons (and others) we needed to use dedicated networks so we can permit and deny URLs on our Firewalls. Really wish SGACL's DACLs could be URL based. Yes you could state well just feed the SGACL/DACL a list of those IP's. A lot of the things we're trying to talk to are cloud based with short lived IP's..... We're also trying to get out of the SGACL / DACL business and use our FW's to do most of the controlling.

@Rob Ingram can you walk me through the steps. Our switches have no native vlan
1. Today our clients plug in, and only once authenticated/authorized will ISE tell the switch what vlan the endpoint should go on. Only then will the client be able to get a DHCP issued address.

2. User logs in which triggers a posture. Are you saying that when the posture is ran and found to be compliant, ISE will let the AnyConnect client know that it needs to do a dhcp release / dhcp renew?

Aref Alsouqi · ‎07-03-2025

In addition to what @Rob Ingram suggested, please keep in mind that when the client is doing dot1x and its VLAN change that will trigger the dot1x supplicant to go through the authentication process again. However, this will not be the case with the MAB devices as they will be totally unaware of the VLAN change and as a result they will be isolated from the network as they will be sitting in a VLAN that doesn't match with their IP addressing details. This is why VLAN change is not recommended with MAB.