Hi,Yes. I do that. But that's not what disconnects the port. The Agent Port Bounce, or RADIUS Port Bounce (depends on switch) disconnect and reconnect the port.
This is needed because if OnGuard (running on Windows) decides a device has transitioned from Healthy to Unhealthy (say, because one of the required services were stopped by a scheduled task), then ClearPass tells the dot1x port to change from the healthy to unhealthy (quarantine) VLAN.
Herein is the issue. When the port was on VLAN 1 and Healthy, it may have an IP of 10.123.1.100, as assigned by DHCP. When it's gone to Unhealthy, the port is assigned to VLAN 100 (quarantine). Here, the problem will try to be resolved. If the reason was the anti-virus was out of date, it would be allowed to get to the AV's update device(s) but be prevented from using "healthy" access.But the issue is when moved from VLAN 1 to VLAN 100, the NIC still has the 10.123.1.100 (VLAN 1) address, because the DHCP TTL is 8 days (by default in Windows AD DHCP servers). So even though the port is on the correct VLAN, no communication is possible, because the IP can't renew to the proper 10.123.100.100 IP it should have, because the PC's DHCP agent is still holding the old address.The only way to fix this is to either set the TTL for DHCP very low - like 5 minutes for both VLAN 100 and 1 (which we don't want to do), or unplug and plug the port, then DHCP will work on the new VLAN 100. As we can't really unplug it, setting the "Agent Port Bounce" in the WEBAUTH service will do the same thing.Many switch vendors allow you to do a RADIUS port bounce, and many switch vendors already are in the RADIUS dictionary. But my small Junipers - while supporting dot1x fine, do not do RADIUS port bounce.To fix this, we have to run OnGuard as an agent and service, which is a OnGuard setting. The user goes from "Agent" to "Agent & Service" mode after the next user logins in. Then it will run as a service when the user is logged out. And when the AV or service issue is resolved, then the Enforcement Profile will dynamically move the port back to VLAN 1, and port bounce, then the PC port will get the proper DHCP.You can test this by setting a scheduled task in Windows to disable a service that's required to make a PC Healthy. Make it run when the OnGuard cache expires...so maybe try 4 hours or so after you logoff. Disable the service, and see that OnGuard changes the port's VLAN and the device gets the proper DHCP on each VLAN transition.We reauth all the time, but that just makes dot1x decide if the device should be on whatever VLAN the policy determines. It doesn't actually drop the port's carrier to allow DHCP to renew the port...at least not on my Junipers the "clear dot1x interface X' also reauths, but the port doesn't flap. Remember the reauth is a RADIUS service, the OnGuard posture assessment is a WEBAUTH service.Regards,Ambi
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.