Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Occasional Contributor II

host doesn't refresh ip after changing vlan 802.1x

Hi everyone,

I have a problem with ip refresh after changing vlan.
Before a user logs on to the domain he authenticates the station and gets vlan x with the address IP 192.168.1.10
After logging in to the domain and authentication, he gets vlan y with the address 192.168.10.10
Unfortunately, after logging in to the domain, he receives the old address 192.168.1.10. After restarting the network card the user gets the correct address 192.168.10.10.

Any suggestions?

Highlighted
Aruba Employee

Re: host doesn't refresh ip after changing vlan 802.1x

Firstly most modern PCs expect the interface to go down for almost 10s before releasing it's IP address. If this is wired:The easier and most reliable system is to use CoA Port-Bounce - ClearPass by default takes the interface down for 12s, when it comes backup the new authentication will put it into the correct VLAN...

If this is wireless it is impractical to take the SSID - invariable the PC will attempt to connect on to another available SSID. It is easier not to use VLAN switching but to change ACL that dictate what the device can access.

Also, keep in mind once a PC has got an IP address when it attempts to refresh that IP it will initially make a directed request DHCP requests from this PC's IP to the DHCP server's IP. It may be desirable to block DHCP Requests in VLAN Y that have the source IP in VLAN X.

Highlighted
Occasional Contributor II

Re: host doesn't refresh ip after changing vlan 802.1x

There is a wired connection.
Unfortunately, from the level of acces tracker I can not use the CoA action - it is not available. Therefore I cannot use the Vlan change action in enforcement policy as CoA. The vlan change policy using CoA will not work.

I will add that I have insight enabled, the option radius CoA is enabled on the switch, the port is set to 3799.

I have a Clearpass cluster.

Highlighted

Re: host doesn't refresh ip after changing vlan 802.1x

Do Switch and ClearPass have the same time?

 

Did you configured it this way on the Switch:

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s04.html#s_Configuring_the_switch_to_access_a_RADIUS_server

 

dyn-authorization

 

Is CoA enabled in the ClearPass for the Network Device?

Highlighted
Occasional Contributor II

Re: host doesn't refresh ip after changing vlan 802.1x

Clearpass and Switch have the same time.

The following options are set on the switch:

 

Spoiler
radius-server host 192.168.1.2 key "password for radius"
radius-server host 192.168.1.2 dyn-authorization
radius-server host 192.168.1.2 time-window 0

CoA is enabled on the switch in CPPM

 

device.png

The Framed IP address in the accounting section is empty. (I hid NAS IP address).

accounting.png

 

Highlighted

Re: host doesn't refresh ip after changing vlan 802.1x

ip client-tracker trusted

 

DHCP snooping enabled?

Highlighted
Occasional Contributor II

Re: host doesn't refresh ip after changing vlan 802.1x

DHCP snooping and ip client-tracker trusted are not configured.

Highlighted
Aruba Employee

Re: host doesn't refresh ip after changing vlan 802.1x

So it looks like you have a problem with CoA.

When the authentication request comes in are you seeing the Radius:IETF:NAS-IP-Address?

This wil be used for the IP address to send the CoA to.

Is it correct?

You need the times on the switch and ClearPass to be within 5 minutes

Can you initiate a manual CoA from AccessTracker?

Is the CoA request packet being received by the switch?

Highlighted
Occasional Contributor II

Re: host doesn't refresh ip after changing vlan 802.1x

After enabling the ip client-tracker trusted option, from the switch I see the IP addresses (show port-access clients).
Unfortunately, when logging in to the domain, the ip address doesn't refresh and the ip address field displays n/a on the list of authenticated clients.

 

During the authentication request, I see the correct IP address in the Radius: IETF: NAS-IP-Address field.

 

From the access tracker, I can't manually initiate a CoA action because the field is inactive.

accesstracker.png

The question is why I can't use this option?

Highlighted

Re: host doesn't refresh ip after changing vlan 802.1x

what type of Switch with which Firmware are you using?

Is the correct Radius Vendor name configured?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: