I have a bit of a conundrum here.
I have turned on WIRED port security for a number of my users, more specifically these are users that fall under PCI requirements, they MUST be segmented into a seperate network.
I created a Clearpass Service that looks for an AD group, assigns a role, and then assign a vlan according to that role. That portion works without issue.
I then ran into issues with users passwords expiring, or changing, and then not being able to log on to the computer because the password was either cached, would fail to authenticate and not get an IP address, or was just entirely wrong because it was changed and fail to log in because they have not user authenticated they do not have an IP address to communicate to AD to update the password.
I created a Machine auth piece, that verifies Machine authenciation, assigns a network that has access to AD so it can communicate to AD update passwords etc. and allow log on.
Here is where the problem happens, the computer will obatin an IP address from the machine authentication, the User will then log in, perform user auth, get a user role and change vlan, but the computer won't release the first address until it is forced. Leaving the user in this non functional state between vlans.
I can't have the machine AUTH put the machine in my PCI vlan, that would pretty much defeat the purpose of having the PCI vlan. And I must segregate these users into a Seperate PCI network.......
Anyone got any good ideas how to resolve this?