"i have a friend" ( :-) )to which i want to deploy the NAC OOB L3.
Why this one? Because he has a central location and a few branches (a few more actually) and these branches are at 2 L3 hops prom the center. More specific, there is a L3 switch as a gateway to the branch LAN users and after that, a router that connects to the center (GRE/IPSec).
The question is, and i did not manage to find or to realise by myself: it is mandatory to use a DHCP server for allocating ip-s to clients? (for all of their states: unauthenticated, authenticated, permited etc).
If not how it should be done?
Second: if is mandatory, should it work only with a centraly deployed DHCP server, or i can use the L3 switch in every branch as a dhcp server?
Thank you for your patiance.
DHCP is required for L3 OOB real-ip gateway since the system will need to get a new address when it is switch to the authorization VLAN and then again after the posture process when it is switched back to its "normal" VLAN.
As for the DHCP server, you can use either a central server, have a local switch provide the addresses or a combination of both.
In our install, the local switch is the DHCP server for the auth VLAN and a local server is used for the access VLAN.