Solved: Re: IP change while changing authorization profile

REJR77 · ‎03-19-2021

Hi community,

I know that when doing 802.1x on "traditionnal network" it is not a good idea to change the IP address (vlan) of the user between the machine authentication and the user authentication, otherwise the IP stack of the PC may not run a new DHCP request on the new VLAN.

Do you know if in SD Access network with DNAC, and ISE it is possible to assign an Authorization profile for the Machine (let's say a SGT_A and an IP PoolA) and when the user authenticates, assign another SGT_B with another IP PoolB?

I heard about that but really don't know it is is possible and reliable..

thanks

jedolphi · ‎03-22-2021

Hi RD77. Change of access VLAN can sometimes create a wired client-side problem. Specifically when the access VLAN changes, the client might not re-IP itself and therefore be cutoff from the network. Cisco SD-Access cannot solve a client-side limitation. The only way to know if change of access VLAN works properly in a customer environment is to test it with their specific clients. For change of SGT, that should be fine since it does not change the IP address of the client. Cheers, Jerome

View solution in original post

jedolphi · ‎03-22-2021

Hi RD77. Change of access VLAN can sometimes create a wired client-side problem. Specifically when the access VLAN changes, the client might not re-IP itself and therefore be cutoff from the network. Cisco SD-Access cannot solve a client-side limitation. The only way to know if change of access VLAN works properly in a customer environment is to test it with their specific clients. For change of SGT, that should be fine since it does not change the IP address of the client. Cheers, Jerome