I know this is a bit of an old thread, so perhaps you already figured this out but I'm in the process of working the same thing, so I thought I would share what I have found.In testing, I set up Win10 workstations with 802.1x settings for "Computer or User Authentication". I have found that an RDP connection will trigger the computer to move to the "Computer Authentication" context. So, if nobody is logged in, but the computer has successfully authenticated to the network with 802.1x, then the RDP session will succeed, but the VLAN assignment will not change. As far as Clearpass/Switch are concerned, the computer is still logged in as the Computer account, not the user.If a user is already logged in, even if it's the same user, upon RDP connect the session will be dropped because the computer shifts back to Computer Authentication, and the VLAN changes back to the appropriate VLAN for the Computer authentication portion.With the Covid pandemic still a thing, a lot of us are still in a hybrid work mode, (we use a secure RDP gateway for our remote workers, as opposed to VPN,) this obviously requires some additional planning / consideration.
In our case, we are going to use Clearpass to sort of make a special set of "Remote Worker" machines that stay natively in the same VLAN as the worker is expected to be in when they log in. This should prevent the VLAN shift that we have seen. It's not ideal, but we're working on restricting the users who may log into a computer by using the Windows Active Directory infrastructure, rather than doing it from the network side. Hope this helps you (or whomever finds this).
Tech notes about our setup:
- Clearpass version 6.10.3
- Aruba 5400R series switches running KB.16.05.007
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.