I am using 802.1x and Mac cache services with webAuthentication for wired network. When a client connect to lan, splash page comes an client chooses is he a guest or is he in domain. At this step client already has an ip address and after authentication client gets a new role and new vlan. To get new ip address, i used port bounce.
Problem is, after switch get bounce port role, it down/up the port but ip phone's port is still up. Even the client gets the new role on the switch, client doesn't release ip address and doesn't get the new ip address belong to new vlan. How can i solve this? Is there a way force the computers to get new ip addresses after authentication?
For our clients behind ip phones, we use 802.1X authentication ( currently PEAP-MSCHAPv2, moving to EAP-TLS) The client authenticated before they get an ip address.
It appears to me, that webAuthentication may be the wrong choice here.
If you use 802.1X authentication for the domain machines, the wired switch can detect whether the client is sending EAP packets. If not, the switch could present the webAuthentication page. Just a quick idea off the top of my head.
Why are you changing VLANs at all? Why not use a Local User Role, Downloadable User Role, or dACL (if Cisco)? Then you can change to CoA terminate or re-auth so you don't have to bounce the port. If the PC was running a supplicant you could also do 802.1X which then the PC would be aware of the VLAN change, a much better approach IMHO than wired web redirect.
The best thing to do in this case: use a dedicated "profiling subnet" with very short DHCP-lease times. I am not aware of any other method to force computers to get new IP address fast otherwise.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.