I have a L3 OOB NAC deployment with AD SSO. Users are mapped to different roles depending on OU membership and then to different VLANs. What happens is that if a user with a certain role logs on to a client and is palced in his VLAN, say VLAN10, and then logs off the PC, the PC stays in VLAN10.
Another user from a different role now comes along and logs onto that same PC stays in that same VLAN, but really needs to move to another VLAN because he/she has a different role.
If the system is rebooted then everything works fine as the SNMP linkdown trap is sent to the NAM.
How can I cause the clients using AD SSO change the role of the port to unauthenticated when they log off the system? I know that this can work with in-band but i don't know if it can be done with OOB.