For our clients behind ip phones, we use 802.1X authentication ( currently PEAP-MSCHAPv2, moving to EAP-TLS) The client authenticated before they get an ip address.
It appears to me, that webAuthentication may be the wrong choice here.
If you use 802.1X authentication for the domain machines, the wired switch can detect whether the client is sending EAP packets. If not, the switch could present the webAuthentication page. Just a quick idea off the top of my head.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
------------------------------
Original Message:
Sent: Jun 02, 2023 05:38 AM
From: remnaz
Subject: Clearpass Wired Solutions - pc behind an IP phone
Hi,
I am using 802.1x and Mac cache services with webAuthentication for wired network. When a client connect to lan, splash page comes an client chooses is he a guest or is he in domain. At this step client already has an ip address and after authentication client gets a new role and new vlan. To get new ip address, i used port bounce.
Problem is, after switch get bounce port role, it down/up the port but ip phone's port is still up. Even the client gets the new role on the switch, client doesn't release ip address and doesn't get the new ip address belong to new vlan. How can i solve this? Is there a way force the computers to get new ip addresses after authentication?