03-06-2017 09:52 AM
Hello, We are having an issue with windows clients after they get a change of authorization (COA) during the login process. As near as I can tell, here is what is happening:
1. Client connects to the network and boots windows or takes it out of sleep mode.
2. The switch starts the 802.1x process and the client is issued an IP in the initial network, lets say vlan 100.
3. The client passes the 802.1x authentication and CPPM determines what VLAN the user should be in and sends the COA to the switch and changes the port to Vlan99..
a. At this point windows still has the original VLAN 100 IP address and does not recognize the vlan has changed. It sits in this state for about 45 seconds.
b. Windows finally recognizes it has not seen any activity from the DFG so it tries to send a renew which fails because it still has not recognized it is on a new vlan, at this point it gives itself a 169... address.
c. about 10 seconds after it gives up on the renew and goes to the 169 address it sends out a new DHCP request which the switch forwards to DHCP on vlan 99 and the user gets a good address and is good to go.
This whole process takes a minute and 20 seconds to complete and by that time users are reseting their machine or doing other actions to try and "fix" it that causes them more issues. So, my question is what can we do to make windows recognize the port has been changed to a new vlan? Is there some setting we need to change in windows? Is there a post authentication radius command we need to send? I have already tried the bounce-port and re-auth radius commands and that does not seem to have any positive effect.
03-06-2017 10:14 AM
All switch ports are set to a default vlan that only has access to what a user needs to establish who they are, once we determine who they are we switch them to their vlan. I.E HR has their own vlan, legal has their own vlan, security has an elevated access vlan, there is a general use vlan and several special use vlans for authorized users that need special access.